Systems, devices and methods for securing and tracking drug dispensing devices

ABSTRACT

Systems and methods for controlling and tracking computer devices using a secure communication path between a central database and a device control-file watchdog program. One or more device control-files can be generated to control, limit and track a computer device using a device control-file watchdog program. The system sets limits on the computer device to ensure the user operating the computer device stays within a restricted set of usage limitations. The device control-file watchdog program protects the one or more device control-files and additionally can report on all activities performed by the computer device to the central database.

CROSS-REFERENCE TO RELATED APPLICATIONS

The application is a continuation of U.S. Application No. 17/674,715filed Feb. 17, 2022 which is a continuation of U.S. Pat. No. 11,289,182issued on Mar. 29, 2022 which claims the benefit of and priority to U.S.Provisional Application No. 62/930,876 filed Nov. 5, 2019 and U.S.Provisional Application No. 63/062,359 filed Aug. 6, 2020 the contentsof which are hereby incorporated herein by reference.

FIELD

Embodiments relate to the creation of a secure closed-loop system forthe distribution and usage of prescription drugs with protection of thecomputer files encoding prescriptions, including dosage requirements andthe monitoring of drug consumption described in the files. Theembodiments further relate to control of access to dispensing devicescontaining drugs and the subsequent tracking of the daily usage.

INTRODUCTION

There is a need for control of the use of drugs or supplements. There isa need for the control of use of potentially addictive drugs by peoplewho are addicts or people who may be susceptible to becoming addicted.This is an example and there is a need to control the delivery of othertypes of drugs. A person may not want to ingest a drug or may want toingest too much of the drug. For example, people who are addicted todrugs are often required to attend a pharmacy or other medical facility(usually on a daily basis) to receive their prescription and to consumeit under the supervision of the pharmacist or other health careprofessional. This exercise is expensive and cumbersome and putsunnecessary strain on the health care system.

People can engage in double-doctoring and/or can try to have theirprescriptions filled at multiple pharmacies. These problems extendbeyond opioids into sleeping pills, Ritalin™, Concerta™,benzodiazepines, barbiturates, cannabinoids, anabolic steroids andpsychostimulants, other stimulant type medications and any other drugthat might be highly sought after. There is a need for better trackingof drug distribution and usage, such as for potentially addictive drugs,for example.

There is also need for a system that can generate tracking data for drugcompliance reports. Whether they are taking a solid pill, receivinginsulin from a pump or receiving an inhaled medication, they often needhelp and guidance to stay on top of their drug consumption times andfrequency. In some cases missing a drug dose can be fatal and will killsome patients.

Systems might have limited security for loading and dispensing drugs.They attempt to restrict access of the user after they have left thepharmacy with drugs in hand. They also allow the patient to controldispensing and set up their own access methods. Additionally, systemsmight not ensure that communications and files are secure and encryptedbetween the patient and the tracking system, which can leave the patientand dosage information exposed and vulnerable.

SUMMARY

Embodiments described herein relate to a method of creating, modifyingand tracking a dosage rule file between a database and a drug watchdogprogram running on a dispensing device.

Embodiments described herein relate to a computer implemented method ofsecuring and tracking a dispensing device and a dosage rule file using acentral server and a drug watchdog program running on the dispensingdevice. The method can involve at a central server having a hardwareprocessor with an interface and a non-transitory memory storing adatabase, authorizing a login using the hardware processor to matchcredentials of the user against a database of authorized users stored inthe non-transitory memory and receiving dispensing device identificationfor the dispensing device for storage in the non-transitory memory;generating a dosage rule file by receiving input data at the interfacefrom the authorized user and encoding at least drug consumptioninformation, identification of the drug consumer, and additionalauthorized users into machine readable instructions for a drug watchdogprogram; identifying a destination dispensing device to receive thedosage rule file using the hardware processor to access the dispensingdevice identification in the non-transitory memory; establishing asecure communication link to encrypt messages exchanged with thedispensing device with encryption keys to confirm the identificationinformation of the dispensing device; transmitting, using the securelink, the dosage rule file to the destination dispensing device; at thedestination dispensing device having a hardware processor and anon-transitory memory storing the drug watchdog program and the dosagerule file, executing the dosage rule file and the drug watchdog programusing the hardware processor to access the non-transitory memory, andupon execution, the drug watchdog program continuously running on thedestination dispensing device and reading the dosage rule file to: opena compartment of dispensing equipment to receive drugs matching the drugconsumption information in the dosage rule file; detect closure of thecompartment and drug provisioning of the dispensing device; uponauthorizing bio-identity input, send a provisioned stage reached messageto the central server to program the processor to a provisioned stage;receive a begin deployment command from the central database to programthe processor to a deployment stage of the dispensing device; activatetimers upon deployment on the dispensing device to control release ofthe drugs contained in the compartment for the drug consumer; andencrypt messages using the encryption keys; and send the encrypted drugconsumption messages for decryption by all authorized users to thecentral database upon expiration of at least one of the timers.

In some embodiments, the method involves at the central server,providing the interface to receive the input from the authorized user togenerate the completed dosage rule file.

In some embodiments, the method involves detecting a connection from aselected dispensing device to a user’s computer system; providing, tothe authorized drug dispenser, the interface on the central server inorder to generate the completed dosage rule file; upon detecting thefinishing of the completed dosage rule file, using the selecteddispensing device’s identification received from the dispensing devicethrough its connection to the user’s computer, to establish the securechannel to encrypt all messages exchanged between the dispensing deviceand the central server; and transmitting the completed dosage rule fileto enable the provisioning of the dispensing device.

In some embodiments, the method involves at the destination devicerunning the drug watchdog program, establishing a secure datacommunication path with the central server by using the dispensingdevice’s identification to select encryption keys; and receiving anindication from the central server over the secure data communicationpath that the dosage rule file is ready for transmission to thedestination dispensing device, the completed dosage rule file encryptedusing encryption keys linked to the dispensing device identification.

In some embodiments, the method involves, at the destination dispensingdevice, establishing a secure communication link between the compartmentand the hardware processor for data exchange, opening the compartment bysending control messages to the compartment of the dispensing deviceover the secure communication link, wherein the compartment of thedispensing device is separate from the hardware processor of thedispensing device.

In some embodiments, the method involves identifying the destinationdispensing device as having dispensing equipment separate from thehardware processor of the dispensing device running the drug watchdogprogram, the dispensing equipment comprising the compartment, andencoding an identifier for the drug dispensing equipment in the dosagerule file.

In some embodiments, the opening of the compartment requires aconfirming status message from the central server to instruct the drugwatchdog to perform an unlock procedure.

In some embodiments, the method involves, at the central server,allowing multiple dispensing devices to be in a provisioned stage, andsending a begin deployment command to only one dispensing deviceassigned to the same drug consumer at a time.

In some embodiments, the method involves, at the central server,detecting that a deployed dispensing device has run out of drugs andsending a begin deployment command to the next provisioned dispensingdevice for the same drug consumer.

Embodiments described herein relate to a computer implemented method ofsecuring and tracking a dispensing device and a dosage rule file by anauthorized drug dispenser using one or more central servers for managingdispensing devices and a drug watchdog program running on the dispensingdevice. The method involves: at a hardware processor coupled to anon-transitory memory storing a prescription database of authorizedusers, authorizing a login using the hardware processor matching thecredentials of the user against the prescription database of authorizedusers stored in the non-transitory memory to create an authorized drugdispenser; searching by the authorized drug dispenser for prescriptioninformation using the hardware processor to access the prescriptiondatabase stored in the non-transitory memory, the authorized drugdispenser linked to a drug consumer’s identity; creating a dosage rulefile encoding the prescription information, the drug consumer’sidentity, drug consumption information and additional authorized usersfor the dispensing device into machine readable instructions for thedrug watchdog program that can be downloaded to the dispensing device;establishing a secure data communication path with the central serverused for managing dispensing devices, by using the hardware processor todetermine identification of the dispensing device to select encryptionkeys; encrypting the dosage rule file using encryption keys linked tothe dispensing device identification; exchanging with the central serverover the secure communication path the dosage rule file; at thedispensing device having a hardware processor and a non-transitorymemory storing the drug watchdog program and the dosage rule file,executing the dosage rule file and the drug watchdog program using thehardware processor to access the non-transitory memory, and uponexecution, the drug watchdog program continuously running on thedispensing device and reading the dosage rule file to: open acompartment of dispensing equipment to allow drugs to be insertedmatching the drug consumption information in the dosage rule file;detect closure of the compartment and drug provisioning of thedispensing device; upon authorizing bio-identity input from the drugconsumer, sending a confirmation message to the central server to entera provisioned stage; receive a begin deployment command from the centralserver that commences the deployment stage; activate timers upondeployment on the dispensing device to allow the controlled release ofthe drugs contained in the compartment; and send drug consumptionmessages and alert messages for decryption by all authorized users,using the selected encryption keys to the central database when thetimer expires.

In some embodiments, creating the dosage rule file involves moving theprescription information from the prescription database to the centralserver that is used for managing dispensing devices.

In some embodiments, opening of the compartment requires a confirmingstatus message from the central server informing the drug watchdog toperform an unlock procedure.

In some embodiments, the expiration of the activated drug dose timers toallow the release of a drug dose, also includes one or more indicationsincluding modifying the display of LED lights, displaying a message on ascreen, the playing of auditory sounds and the sending one or moremessage to the drug consumer using a configured communication method.

In some embodiments, an alert message transmitted from the dispensingdevice to the central server is relayed from the central server to thedrug consumer using one or more configured communication methods.

In some embodiments, an alert message within the dispensing device issent directly to the drug consumer’s computer device using one or moreconfigured communication methods.

In some embodiments, the decryption of messages by all authorized usersfurther includes the ability for one of the authorized users to modifythe dosage rule file.

In some embodiments, the method involves, at the destination dispensingdevice, establishing a secure communication link between the compartmentand the hardware processor for data exchange, opening the compartment bysending control messages to the compartment of the dispensing deviceover the secure communication link, wherein the compartment of thedispensing device is separate from the hardware processor of thedispensing device.

In some embodiments, the method involves identifying the destinationdispensing device as having drug dispensing equipment separate from thehardware processor of the dispensing device running the drug watchdogprogram, the drug dispensing equipment comprising the compartment, andencoding an identifier for the drug dispensing equipment in the dosagerule file.

Embodiments described herein relate to a computer system for securingand tracking a dispensing device and a dosage rule file. The system caninvolve a central server having a hardware processor with an interfaceand a non-transitory memory storing a database, the interface togenerate and provide a completed dosage rule file encoding at least adrug consumer’s identity, drug consumption information and authorizedusers for a dispensing device into machine readable instructions for thedrug watchdog program, the completed dosage rule file encrypted usingencryption keys linked to the dispensing device identification; adispensing device having a hardware processor and a non-transitorymemory storing drug watchdog program running on the dispensing device,the hardware processor executing the drug watchdog program and uponexecution, the drug watchdog program continuously running on thedestination dispensing device to: establish a secure data communicationpath with the central server by using the dispensing device’sidentification to create an encrypted channel; verify that at least oneauthorized user is in possession of the identified dispensing device bychanging the state of the dispensing device and requiring the authorizeduser to verify that state; receive an indication from the central serverwithin the received status message over the secure communication paththat the completed dosage rule file is ready for download after theauthorized user is verified; exchange the completed dosage rule filewith the central server to enable the provisioning of the dispensingdevice; wherein the hardware processor executes the completed dosagerule file and upon execution, the drug watchdog program reading thedosage rule file to: open a compartment of dispensing equipment to allowdrugs to be inserted matching the drug consumption information in thedosage rule file; detect closure of the compartment and drugprovisioning of the dispensing device; upon authorizing a biometricinput from a drug consumer, sending a confirmation message to thecentral server to enter a provisioned stage of the dispensing device;receive a begin deployment command from the central server thatcommences the deployment stage of the dispensing device; and activatetimers upon deployment on the dispensing device to allow the controlledrelease of the drugs contained in the compartment; and send drugconsumption messages for viewing by all authorized users, using theselected encryption keys to the central server when the timer expires.

In some embodiments, the destination dispensing device establishes asecure communication link between the dispensing equipment and thehardware processor for data exchange to open the compartment by sendingcontrol messages, wherein the dispensing equipment is separate from thehardware processor running the watch dog program.

Embodiments described herein relate to a method of creating, modifyingand tracking a dosage rule file between a database and a drug watchdogprogram running on a dispensing device.

Embodiments described herein can provide a method that can involve, at acentral database, authorizing a login by matching the credentials of theuser against a database of authorized users. The method involvesallowing the authorized user to modify or create the dosage rule file,the dosage rule file linked to at least the identification of a drugconsumer, the dosage rule file encoding at least drug consumptioninformation, the drug consumer’s identity, and additional authorizedusers for this dispensing device. The method involves identifying adestination dispensing device to receive the dosage rule file throughdispensing device identification information linked to credentialsprovided by the authorized login. The method involves encryptingmessages exchanged with the dispensing device with encryption keyslinked to the identification information of the dispensing device. Themethod involves downloading, using the encryption keys, the dosage rulefile to enable provisioning of the dispensing device, wherein the dosagerule file configures the drug watchdog program to: open a compartment ofthe dispensing device to allow drugs to be inserted matching the drugconsumption information in the dosage rule file; detect the closure ofthe compartment to indicate provisioning of the dispensing device;activate timers upon provisioning on the dispensing device to allow forcontrolled release of the drugs contained in the compartment; and senddrug consumption messages for viewing by all authorized users, themessages encrypted using the encryption keys, to the central databasewhen at least one of the timers expires.

In an aspect, embodiments described herein relate to a method ofcreating, modifying and tracking a dosage rule file between a centraldatabase and a drug watchdog program running on a dispensing device. Themethod, involves, at a central database authorizing a login by matchingthe credentials of user against a database of authorized users.

The method involves allowing the authorized user to generate a dosagerule file encoding at least the drug consumer’s identity, drugconsumption information and additional authorized users for thisdispensing device. The method involves identifying a destinationdispensing device to receive the dosage rule file through the receptionof dispensing device identification linked to the credentials providedby the authorized login.

The method involves encrypting messages exchanged with the dispensingdevice using encryption keys linked to the identification information ofthe dispensing device. The method involves downloading, using theencryption keys, the dosage rule file to enable provisioning of thedispensing device, wherein the dosage rule file configures the drugwatchdog program to: open a compartment of the dispensing device toallow drugs to be inserted matching the drug consumption information inthe dosage rule file; detect the closure of the compartment to indicateprovisioning of the dispensing device; activate timers upon provisioningon the dispensing device to allow the controlled release of the drugscontained in the compartment; and send drug consumption messages forviewing by all authorized users, using the encryption keys, to thecentral database, when at least one of the timers expires.

In an aspect, embodiments described herein relate to a method ofcreating, modifying and tracking a dosage rule file between a centraldatabase and a drug watchdog program running on a dispensing device. Themethod involves, at a central database, creating an authorized user byverifying a dispensing device coupled to the user’s computer andpermitting a login; permitting the authorized user to generate acompleted dosage rule file containing at least the drug consumer’sidentity, drug consumption information and additional authorized usersfor this dispensing device; identifying a destination dispensing deviceto receive the completed dosage rule file through the reception ofdispensing device identification provided by the authorized login; usingthe identification information of the dispensing device to selectencryption keys to be used to encrypt messages exchanged with thedispensing device; downloading, using the selected encryption keys, thedosage rule file to enable the provisioning the dispensing device. Thedosage rule file configures the drug watchdog program to: open acompartment of the dispensing device to allow drugs to be insertedmatching the drug consumption information in the dosage rule file;detect the closure of the compartment to indicate provisioning of thedispensing device; activate timers upon provisioning on the dispensingdevice to allow the controlled release of the drugs contained in thecompartment; and send drug consumption messages for viewing by allauthorized users, using the selected encryption keys, to the centraldatabase when the timer expires.

The method can involve creating, modifying and tracking a dosage rulefile between a central database and a drug watchdog program running on adispensing device. The method can involve, at a drug watchdog program,detecting a connection from a selected dispensing device to a user’scomputer system. The method can involve permitting a login by the userto create an authorized drug dispenser. The method can involve allowingthe authorized drug dispenser to use an interface provided through theconnection to generate a completed dosage rule file, containing at leastthe drug consumer’s identity, drug consumption information andadditional authorized users for this dispensing device, on the connecteddispensing device. The method can involve initiating a separateconnection to the central database when the authorized drug dispenserhas finished the completed dosage file. The method can involve using theseparate connection to provide the selected dispensing device’sidentification in order to select encryption keys to be used to encryptmessages exchanged between the dispensing device and the centraldatabase. The method can involve exchanging the completed dosage rulefile with the central database to enable the final provisioning of thedispensing device. The dosage rule file configures the drug watchdogprogram to: open a compartment of the dispensing device to allow drugsto be inserted matching the drug consumption information in the dosagerule file; detect the closure of the compartment to indicateprovisioning of the dispensing device; activate timers upon provisioningon the dispensing device to allow the controlled release of the drugscontained in the compartment; and send drug consumption messages forviewing by all authorized users, using the selected encryption keys tothe central database when the identified user confirms the removal ofdrugs when the timer expires.

The method can involve creating, modifying and tracking a dosage rulefile between a central database and a drug watchdog program running on adispensing device. The method involves, at a drug watchdog program,detecting a connection from a selected dispensing device to a user’scomputer system. The method can involve allowing the user to become anauthorized drug dispenser, by accepting a login at a central databasewhen it confirms the identification information of the connecteddispensing device. The method can involve providing, to the authorizeddrug dispenser, an interface on the central computer in order togenerate a completed dosage rule file containing at least the drugconsumer’s identity, drug consumption information and additionalauthorized users for this dispensing device. The method can involvedetecting the finishing of the completed dosage rule file and using theselected dispensing device’s identification received from the dispensingdevice through its connection to the user’s computer, to selectencryption keys to be used to encrypt all messages exchanged between thedispensing device and the central database. The method can involveexchanging the completed dosage rule file with the central database toenable the final provisioning of the dispensing device. The dosage rulefile configures the drug watchdog program to: open a compartment of thedispensing device to allow drugs to be inserted matching the drugconsumption information in the dosage rule file; detect the closure ofthe compartment to indicate provisioning of the dispensing device;activate timers upon provisioning on the dispensing device to allow thecontrolled release of the drugs contained in the compartment; and senddrug consumption messages for viewing by all authorized users, using theselected encryption keys to the central database when the timer expires.

In another aspect, embodiments described herein provide a method ofcreating, modifying and tracking a dosage rule file between a centraldatabase and a drug watchdog program running on a dispensing device. Themethod can involve, at a drug watchdog program, establishing a securecellular data communication path with a central database by using thedispensing device’s identification to select encryption keys. The methodcan involve sending secure periodic polling messages to a centraldatabase using the confirmed encryption keys to update the dispensingdevice’s status. The method can involve receiving an indication from thecentral database within the received status message that a completeddosage rule file, containing at least the drug consumer’s identity, drugconsumption information and additional authorized users for thisdispensing device, is ready for download. The method can involveexchanging the completed dosage rule file with the central database toenable the provisioning of the dispensing device. The dosage rule fileconfigures the drug watchdog program to: open a compartment of thedispensing device to allow drugs to be inserted matching the drugconsumption information in the dosage rule file. The drug watchdog thendetect the closure of the compartment to indicate the next step inprovisioning of the dispensing device can take place; activate timersupon provisioning on the dispensing device to allow the controlledrelease of the drugs contained in the compartment; and send drugconsumption messages for viewing by all authorized users, using theselected encryption keys to the central database when the timer expires.

Embodiments relate to the creation of a secure closed-loop system forthe distribution and usage of prescription drugs. The embodimentsinclude the protection of the computer files that encode instructionsdefining a prescription, including dosage requirements and themonitoring of drug consumption described in the files. The embodimentsfurther include the control of assigning drugs to a patient, overallaccess to those drugs and the subsequent tracking of the usage.

In an aspect, there is provided a method of controlling and tracking adosage rule file between a central database and a drug watchdog programrunning on a dispensing device. The method involves, at a centraldatabase, authorizing a login by verifying user login data using one ormore authentication means; creating a dosage rule file containing atleast drug consumption information and additional authorized users forthis dispensing device; displaying tracking information from thedispensing device for the additional authorized users; initiating asecure link between the central database and the drug watchdog programby creating and using a shared encryption key; downloading over thesecure link the dosage rule file and other messages related to operationof the dispensing device, wherein the dosage rule file configures thedrug watchdog program to: open a main compartment of the dispensingdevice using an unlock mechanism to allow drugs to be inserted into themain compartment; detect the closure of the main compartment using thelocking mechanism and allowing a controlled release of the drugscontained in the main compartment; and send feedback messages to thecentral database of activities detected on the dispensing device.

In another aspect, there is provided a method of controlling andtracking a dosage rule file between a central database and a drugwatchdog program running on a dispensing device. The method involves, ata drug watchdog program, detecting a connection to a drug dispenser’scomputer; verifying a login by a drug dispenser’s to permit access tothe dispensing device; using an interface to generate a dosage rulefile; initiating a secure link between the drug watchdog program and thecentral database by creating and using a shared encryption key;uploading to the central database over the secure link the dosage rulefile and other messages related to operation of the dispensing device,wherein the dosage rule file configures the drug watchdog program to:open a main compartment of the dispensing device using an unlockmechanism to allow drugs to be inserted into the main compartment;detect the closure of the main compartment through a locking mechanismand allowing the controlled release of the drugs contained in the maincompartment using an ejection mechanism; and send feedback messages tothe central database of activities detected on the dispensing device.

In some embodiments, the authenticating means is a connection to anauthenticated dispensing device.

In some embodiments, the authenticating means matches login informationto data received from one or more governing body of professionals andgovernment organizations.

In some embodiments, the drug consumption information includes thenumber of drugs to be inserted into the dispensing device.

In some embodiments, an additional authorized user can also have thedosage rule file updated and downloaded to the dispensing device.

In another aspect, there is provided a method of controlling andtracking a dispensing device for delivery of prescription drugs for adrug consumer using a dosage rule file for configuring a drug watchdogprogram to control the dispensing device. The method involves generatinga login procedure to establish an authorized drug prescriber and anauthorized drug dispenser by matching credentials for authorized drugprescriber and the authorized drug dispenser to data encoding drugprescribers and drug dispensers; generating the dosage rule file for thedrug consumer containing at least drug consumption information based oninput from an authorized drug prescriber and identification informationreceived from a drug consumer; receiving a request from an authorizeddrug dispenser to match a drug consumer’s identification information tothe identification information in the dosage rule file; authenticatingat a central database an attached dispensing device with one or moremessages exchanged with a drug watchdog program running within thedispensing device; downloading, using one or more of the messages, thedosage rule file to the dispensing device for use by the drug watchdogprogram, wherein the dosage rule file configures the drug watchdogprogram to: block all attempts by other programs running on thedispensing device to perform file commands on the dosage rule file; usethe drug consumption information within the dosage rule file to time therelease of drugs contained within the dispensing device through a drugejector; and provide feedback messages of all activities that take placeat the dispensing device to the central database.

In some embodiments, the authorized drug prescriber and the authorizeddrug dispenser use a biometric input as part of creating a loginprocedure at the central database.

In some embodiments, taking identification includes using biometricinformation from the drug consumer.

In some embodiments, the drug dispenser matches the drug consumer’sinformation by taking biometric information from them.

In some embodiments, the authenticating of the dispensing device takesplace by sending a manufactured serial number when exchanging one ormore messages.

In some embodiments, the authenticating of the dispensing device takesplace using public and private encryption keys that were pre-loadedduring the manufacturing process.

In some embodiments, the authenticating of the dispensing device alsorequires a physical connection to a computer within the drug dispenser’slocation.

In some embodiments, the authenticated dispensing device also requiresthe creation of a separate encryption key that is used for all dataexchanges with the central database.

In some embodiments, the authenticating of an attached dispensing devicecan also include the ability to detect the type and number of drugswithin the drug dispensing device to ensure ample supply is present forthe next dose.

In some embodiments, the authenticating of an attached dispensing devicecan also include the ability to detect that there should be ample drugsstill available inside the device and refusing to allow more drugs to beadded.

In some embodiments, the feedback can also include detection ofunauthorized activity upon the file or damage to the file to allow forre-acquisition of the file if needed.

In some embodiments, the feedback can also include detection ofunauthorized attempts to access the contents of the dispensing device.

In some embodiments, the restricting of access on the prescription filealso includes the ability to update the dosage rule file should anauthorized change be needed to the original dosage rule file.

In some embodiments, the feedback also includes providing GPS locationinformation when a change is detected.

In some embodiments, the feedback also includes detecting a misseddosage and sending GPS coordinates.

In some embodiments, the feedback also includes photographic informationtaken each time a single dose of drugs are ejected for the drugconsumer.

In some embodiments, the feedback also includes ingestion informationwhen a signal is received based on ingestion of the drug dosage withinthe stomach of a drug consumer.

In some embodiments, the ingestion information comes from a device thatis worn on the body of the drug consumer.

In some embodiments, the signal is generated by two or more compoundsthat when mixed with stomach acids generate a detectable signal fromwithin the drug consumer’s stomach.

In some embodiments, the one or more messages and feedback message aretransmitted over a cellular network.

In some embodiments, the one or more messages and feedback messages aretransmitted using a WiFi communication method.

In some embodiments, the one or more messages and feedback messages aretransmitted using a Bluetooth communication method.

In some embodiments, the one or more messages and feedback messages aretransmitted using a USB connection.

In another aspect, there is provided a method of using a dosage rulefile to configure a drug watchdog program on a drug dispensing deviceand a central database to track and control the use of prescriptiondrugs. The method involves authorizing a drug prescriber and a drugdispenser at a central database through a secure login procedure;permitting the authorized drug prescriber to create a dosage rule filecontaining drug consumption requirements on the central database;requiring an authorized drug prescriber to acquire an identity for adrug consumer and associating the identity to the dosage rule filewithin the central database; permitting an authorized drug dispenser tosearch for the dosage rule file with the identity provided by the drugconsumer; sending search match results from the central database to anauthorized drug dispenser confirming that the dosage rule file waslocated for the drug consumer; opening a data communications connectionbetween the dispensing device and the central database; securelydownloading the authorized dosage rule file into the dispensing deviceusing one or more messages; allowing the authorized drug dispenser toaccess a drug containment area within the dispensing device to receivethe prescribed drugs; and using the drug consumption information withinthe authorized dosage rule file to guide the dispensing device inpermitting drugs to be dispensed for the matching drug consumer.

In another aspect, there is provided a method of using a drug watchdogprogram working within a dispensing device to control and regulate theuse of prescription drugs. The method involves, within the dispensingdevice, detecting a connection to a computer system that is locatedwithin a drug dispenser’s facility; opening a connection to a centraldatabase to establish an encryption key for creating a securecommunication path; receiving confirmation over the secure connectionpath that an authorized dosage rule file containing operating parameterswill be downloaded for use by the drug watchdog program; permittingaccess to a main containment area to allow the drug dispenser to place aquantity of drugs to be consumed; detecting the closing of the maincontainment area and locking the main containment area to stop anyfurther access to the main containment area; using the operatingparameters within the authorized dosage rule file by the drug watchdogprogram to control the dispensing device, wherein the dosage rule fileconfigures the drug watchdog program to: stop all file access attemptsby other programs on the authorized dosage rule file; use the operatingparameters within the authorized dosage rule file to time the release ofdrugs contained within the dispensing device; send secure messages to acentral database regarding all activities that are detected bydispensing device. The dosage rule file can encode the operatingparameters as machine readable instructions for the drug watchdogsoftware. The operating parameters can relate to the dispensing deviceand related dispensing equipment. The dosage rule file can encode theoperating parameters so that the drug watchdog software can read thedosage rule file to control the dispensing device and related dispensingequipment using the encoded operating parameters.

In another aspect, there is provided a method of controlling andtracking a dispensing device for delivery of prescription drugs by anauthorized drug dispenser using a dispensing device. The method involvesconnecting a dispensing device to a drug dispenser’s computer;establishing an authorized drug dispenser by exchanging credentials withthe dispensing device to create an authorizing login procedure;generating, by the authorized drug dispenser, a dosage rule file for adrug consumer containing at least drug consumption information and thequantity of drugs to be placed into the dispensing device based oninformation provided by the drug prescriber; receiving identificationinformation from the drug consumer by the authorized drug dispenser toinclude within the dosage rule file; inserting drugs matching the amountof drugs indicated in the dosage rule file into main compartment of thedispensing device; provisioning the dispensing device by securelydownloading the dosage rule file by the authorized drug dispenser to adrug watchdog program running on the dispensing device and closing themain compartment to a locked position; wherein the dosage rule fileconfigures the drug watchdog program to: only open the main compartmentby an authorized drug dispenser performing the authorizing loginprocedure; use the drug consumption information within the dosage rulefile to time the release of drugs contained within the dispensingdevice; detect any attempts to break into the dispensing device andreport messages on the detection to a central database, and providefeedback messages of all activities that take place at the dispensingdevice to the central database.

In some embodiments, taking identification from the drug consumerincludes using biometric information from the drug consumer.

In some embodiments, the dosage rule file also contains or encodesbiometric information from the drug consumer.

In some embodiments, the time release of drugs also requires a biometricinput from the drug consumer.

In some embodiments, a failsafe procedure is provided to the drugconsumer to release one or more additional dosages of drugs should afailure be detected when attempting to dispense a drug at the appointedtime release period.

In another aspect, there is provided a method of using a drug watchdogprogram working within a dispensing device to control and track the useof drugs. The method involves, at a dispensing device, detecting anauthorized connection to a computer system using one or more approvedconnection methods; authorizing access over the approved connection to adrug dispenser using their credentials to create an authorizing loginprocedure; permitting access to a main containment area to allow theauthorized drug dispenser to place a quantity of drugs to be consumed;accepting the download of a dosage rule file that contains at least thetimed dosage requirements and the amount of drugs to be placed withinthe main containment area; detecting the closing of the main containmentarea and locking it to stop any further access; using the operatingparameters within the dosage rule file by the drug watchdog program toguide the daily operation, wherein the dosage rule file configures thedrug watchdog program to: stop all file access attempts by otherprograms on the dosage rule file; use the operating parameters withinthe authorized dosage rule file to time the release of drugs containedwithin the dispensing device; send secure messages to a central databaseregarding all activities that are detected, and only open the maincompartment when the authorizing login procedure is successfullyexecuted.

In some embodiments, the taking identification from the drug consumerincludes using biometric information from the drug consumer.

In some embodiments, the dosage rule file also contains biometricinformation from the drug consumer.

In some embodiments, the time release of drugs also requires a biometricinput from the drug consumer.

In some embodiments, a failsafe procedure is provided to the drugconsumer to release one or more additional dosages of drugs should afailure be detected when attempting to dispense a drug at the appointedtime release period.

BRIEF DESCRIPTION OF DRAWINGS

The following detailed description of the invention is better understoodwhen read in conjunction with the included figures. The included figuresare intended to illustrate one implementation of the invention for oneskilled in the art. These exemplary illustrations are not intended tolimit the disclosure to the specific embodiments shown herein.

FIG. 1 is an illustration of a network overview showing drug prescribersand drug dispensers.

FIG. 2 shows an embodiment of a network overview showing the use of atamper-proof dispensing device in a wireless network.

FIG. 3 shows another embodiment of a network overview showing the use ofa tamper-proof dispensing device.

FIG. 4 is an illustration of two embodiments of the drug dispenser beingused by a patient for accessing their drugs.

FIG. 5 is a more detailed illustration of a drug watchdog system withina drug dispensing system.

FIG. 6 is one embodiment of a user interface for an authorized user toset up a dispensing device for a patient needing prescription drugs.

FIG. 7 is one embodiment of a user interface for an authorized user toview patient compliance and usage information for an assigned dispensingdevice.

FIG. 8 a dataflow diagram of one embodiment for a drug prescriber to setup a dosage rule file.

FIG. 9 is a data flow diagram of one embodiment showing the firstinteractions between a drug dispenser and a drug consumer.

FIG. 10 is a data flow diagram of one embodiment for a drug dispenser towork directly with a dispensing device to provision a dosage rule file.

FIG. 11 is a data flow diagram of one embodiment for a drug dispenser towork with the central database to provision a dosage rule file.

FIG. 12 is a data flow diagram of one embodiment for the process todownload a created dosage rule file from a central database to adispensing device.

FIG. 13 is a data flow diagram of one embodiment that illustrates stepsin the first steps of the provisioning stage for a dispensing device.

FIG. 14 is a data flow diagram of one embodiment that illustrates stepsfor finishing provisioning and entering the deployment phase for adispensing device.

DETAILED DESCRIPTION OF DRAWINGS

Embodiments described herein provide a system and method for trackingand controlling devices and operations involved in the processes ofprescribing drugs and the distribution and consumption of those drugs isprovided.

Embodiments further describe the feedback of information to multipleconnected systems to communicate accurate information about thedistribution and use of any drug that needs this advanced trackingsystem. The embodiments described can support clinical drug trials whentracking and control of new drugs is necessary, for example. Theembodiments can support the senior citizen population where severalhealth issues can cause problems with taking medications consistentlyand safely, as another example. The embodiments can be used fordifferent drugs, supplements, and other controlled substances. Patientsmight forget if they have already taken their medications or mightoverdue their medications on purpose.

Several embodiments are possible when using the system to control awide-range of medical devices. The system has a central server with oneor more hardware processors and non-transitory memory storing centraldatabases. There can be a secure connection between the central databaseand the one or more processors of the central server, and the drugwatchdog program. This system also allows for feedback and reporting ofall trackable events on the drugs being consumed from those devices.

Medical devices can have several embodiments and can be built using manypotential methods. They might dispense a wide range of physical pills,liquid compounds and vapour compounds. In some embodiments they are asingle physical device with all communications equipment, controlfirmware and dispensing equipment. The dispensing equipment can be drugdispensing equipment, such as a compartment or container for drugs. Thedispensing device can integrate dispensing equipment. The dispensingdevice can be separate from the dispensing equipment and have a securecommunication path with the dispensing equipment for data exchange andcontrol commands to actuate the dispensing equipment, for example. Thedispensing device and dispensing equipment can involve multiplecomponents connected by secure communication paths or channels formessage exchange. The dispensing device can be referred to as acontrollable medical device with dispensing equipment that can becontrolled or actuated by control commands or messages. In otherembodiments one or more systems (e.g. computer hardware processors andnon-transitory memory storing instructions) make up the controllablemedical device. In this application the term “dispensing device” can beused to identify the one or more computers that make up all neededfunctional elements of the secure, controllable and monitorabledispensing of drugs.

The dispensing device can have a hardware processor that executes andruns the watchdog software stored in non-transitory memory. Thedispensing device (having drug watchdog software stored innon-transitory memory) can be associated with dispensing equipment forthe drugs. The dispensing equipment can include a compartment for drugsthat can be controlled and monitored by the dispensing device using thedrug watchdog software and dosage rule file. The dispensing device canintegrate the dispensing equipment, for example, and can have aninternal communication system for exchange data or messages. Thedispensing device (having drug watchdog software stored innon-transitory memory) can be separate from the dispensing equipment(e.g. compartment for the drugs) and in communication over a securechannel to exchange data and control commands. The dispensing device cansend commands to the dispensing equipment to actuate components, forexample. The dispensing device and the dispensing equipment can alsocommunicate with other components to exchange commands and actuatecomponents of the dispensing equipment. The dispensing equipment canalso be referred to as drug dispensing equipment or medical drugdispensing equipment.

The dispensing device can integrate or couple to a computing device withat least one hardware processor, non-transitory memory, and at least oneI/O interface, and at least one network interface. The I/O interface caninclude software and hardware configured to facilitate communicationswith the processing unit hardware processor and/or communications touser devices, dispensing equipment, or the central server. The hardwarecan include display screen configured to visually display graphics, textand other data. The memory is configured to store information, includingboth data and instructions. The instructions which are stored at thememory generally include firmware and/or software for execution by thehardware processor. The memory can store the drug watchdog software andthe dosage rule file. The memory can store the drug watchdog softwarefor execution by the hardware processor. The drug watchdog software canread the dosage rule file in the memory.

The central server can run in a closed environment, like an institutionor in a cloud environment. The central server runs and manages variousdatabases and collectively these systems are called central database inthis application. To highlight the system functions, there are severalembodiments presented to illustrate example use cases for the creationof a closed-loop system for controlling devices and operations fordelivery of drugs a specific drug consumer (e.g. drugs are prescribedfor a drug consumer and only they can access those drugs). Thisclosed-loop system (also referred to as a feedback control system)provides controls and feedback within the system to try to helpeliminate errors and thwart attempts to steal or overuse the drugs thatare prescribed. The central server couples to the central database. Thecentral server can be referred to as the central database herein fordata exchange with other components.

This specific embodiment of a drug monitoring system is built upon arelationship between a central database and a software program which canbe referred to as the drug monitor watchdog program, “drug watchdog”.The drug watchdog is a specific embodiment of the file watchdog. In someembodiments the drug watchdog runs within many kinds of medicaldispensing devices that have specific dosing requirements and requirereal-time monitoring capabilities.

In other embodiments a direct and secure relationship exists betweenseparate computer systems that allow the specific dosing requirementsand real-time monitoring capabilities. Some examples of medicaldispensing devices can include tamper-proof dispensing devices, digitalinsulin injection devices, advanced inhaler devices, intravenous (IV)machines, all referred to as “dispensing devices”. The drug watchdogprovides a safe distribution point for the prescribed drugs for a givendrug consumer.

A dispensing device could be made up of one or more computer devices. Insome embodiments the computer device is self-contained and contains thecellular hardware and drug watchdog firmware, the bio-identitycomponents, and the medical dispensing equipment all in one physicalhousing.

The computer device can have at least one hardware processor,non-transitory memory, and at least one I/O interface, and at least onenetwork interface. The I/O interface can include software and hardwareconfigured to facilitate communications with the processing unithardware processor and/or communications to related dispensingequipment, or the central server. The hardware can include a displayscreen configured to visually display graphics, text and other data. Thenon-transitory memory is configured to store information, including bothdata and instructions. The instructions which are stored at the memorygenerally include firmware and/or software for execution by the hardwareprocessor. The memory can store the drug watchdog software and thedosage rule file. The memory can store the drug watchdog software forexecution by the hardware processor. The drug watchdog software can readthe dosage rule file in the memory.

In other embodiments the cellular hardware and drug watchdog might havethe option of decoupling from the medical drug dispensing equipment. Inthese embodiments there is a secure and impenetrable relationshipbetween the cellular hardware and drug watchdog to the medical drugdispensing equipment. This secure link might be encrypted Bluetoothlink, a Near Field Communication (NFC) with a security handshake basedon various encryption methods like agile encryption methods. In otherembodiments the cellular hardware and drug watchdog are always separateand share a secure and impenetrable link for indicating that a drug canbe dispensed once the patient is authenticated.

In those embodiments where the drug watchdog runs on a separate computerfrom the drug dispensing equipment various close communication methodslike Bluetooth, RFID, Near Field RFID (also called NFC) and various802.11 protocols (also called WiFi) methods could be employed tofacilitate communications. Using one of these methods a secure channelcan be easily created. In embodiments using NFC for example, oneapproach is to use NFC Secure Channel. Using a method likeDiffie-Hellman is acceptable as NFC inherently does not allow theman-in-the-middle attack. With the symmetric key established, NFC SecureChannel can then be used for communications. In other embodiments usingBluetooth communications there are several security protocols to selectfrom. These include L2CAP, RFCOMM in mode 2 and authentication andencryption services for mode 3. Bluetooth 5 also offers four differentsecurity levels where level 4 offers elliptic curve Diffie-Hellman, alsoknown as P-256 which is FIPS (Federal Information Processing Standards)compliant.

The dispensing device acts as both the computer device needing tocontrol the loading of drugs and the authorization to access the drugscontained within the medical drug dispenser. The relationship betweenthe central database and the dispensing device is built uponidentification information created for the dispensing device duringmanufacturing. The drug watchdog uses this identification information tohelp secure the relationship and exchanging information using thissecurity. Once the dispensing device is provisioned and deployed, thedrug watchdog becomes married to a drug consumer and a specificprescription dosage. In one embodiment, this relationship is establishedthrough the injection of encryption keys into tamper-proof memory. Inanother embodiment, this relationship is established through byproviding the device a server-based electronic signature in non-volatilememory. In another embodiment the dispensing device generates a publicand private encryption key pair and provides this to the server over aphysical link, like a USB cable during the manufacturing process.

The drug watchdog is a computer program that might be a standaloneprogram on a computer device, or it is running as just one applicationof many within an operating system (O/S). The programs goal is tosafeguard the dosing and personal information of the drug consumer andto ensure the configuration information (“Dosage Rule File”) is notdamaged, stolen, hacked or deleted through nefarious means. The drugwatchdog can employ several methods to ensure the inputs and messages itis sending to the central database are valid and secure. Allcommunications are secure between the central database and the drugwatchdog. Protection ensures the drug watchdog is not running on acloned system, that is providing similar inputs and outputs to the realdispensing device and who is trying to use confusion and counterfeitingto invade the central database. There are several embodiments to solvethis problem.

In one embodiment for example, the dispensing device would use a secureenclave methodology. The secure enclave is a protected environment onthe dispensing device that is tamper-proof and where memory cannot beaccessed directly. Only protected software running within the secureenclave can access the memory and perform actions with informationprovided. By locking a public and private encryption key pair into thesecure enclave, an encryption method can be employed to ensure only thecentral database is able to decrypt the data and confirm it is from aknown secure source. In this way the secure enclave offers an encryptionservice to the drug watchdog and it will encryption on its behalf even asmall amount of data to ensure the authenticity of the environment. Forexample, the dispensing device’s unique identifier could be signed(encrypted) using the private key of the dispensing device, protected inthe secure enclave to valid the source of any given message by thecentral database.

In another embodiment an electronic signature is provided by the centraldatabase and is stored in non-volatile memory at the end ofmanufacturing. This signature can not be extracted or changed but can beread and provided to the drug watchdog every time it needs to send asecure message to the central database. The electronic signature couldbe unique for every dispensing device created. These two examples andothers can provide an advanced level of confidence that the drugwatchdog can verify that the information it is sending to the centraldatabase is secure, authorized and that the communication informationhas not been tampered with.

The process of programming the drug watchdog software is done usingprescription information and configuration information to create agrouping of information called the dosage rule file in this application.Whether the drug watchdog is running within the same physical housing ora separate physical housing it always manages the dosage rule file andhow it gets accessed. The dosage rule file is a collection of items thatcan be represented as a continuous file, a collection of parameters in amessage or a collection of stored memory parameters in one or morememory locations. The dosage rule file is then managed through thecentral database by those individuals that have been given rights toaccess this information. Between the central database and the drugwatchdog one or more secure identification measures are employed toensure complete security and exchange of all information including thedosage rule file.

The overall operation of the system involves three main stages: theauthentication stage, the provisioned stage, and the deployment stage.These stages can involve various embodiments. The first stage ofauthentication confirms the identity of the person wanting to provisionand deploy a dispensing device. The provisioned stage is defined as allthe steps necessary to reach the deployment stage. The deployment stageis defined as the active dispensing of medication in the dispensingdevice as instructed by the drug watchdog directly or using a securerelationship to the dispensing equipment.

Provisioning starts with building the dosage rule file and exchanging itbetween the central database and the drug watchdog. Provisioningcontinues once the dosage rule file is confirmed and the drug dispensingequipment can be opened for loading. In some embodiments this happensvia comments directly from the drug watchdog software to the drugdispensing equipment. In other embodiments the drug watchdog willestablish a secure connection to the drug dispensing equipment and issuean open main drug dispensing compartment command. Once opened, the drugdispenser will be allowed to load drugs matching the dosage rule file.

In some embodiments, matching can be confirmed using various pillscanning methods as the drugs are inserted into the dispensing device.For example, the pill itself might have a bar code, Q-code or someprinted indicators identifying the exact composition of the pill. Therecould be an outside covering over each pill that has a code printed onit to identify exactly what the pill is composed of. Some coverings ofplastic or blister pack can be used to protect the pill fromcontamination and make the pill more readily identifiable. In someembodiments some coverings could also include low-frequency RFID tags tomake counting and identifying the drugs easier. When inserting the pillwould pass through a small scanner on the dispensing device thatconfirms the correct pills are being inserted into the device.

Once the pills are loaded and confirmed, the drug dispensing equipmentcan be closed to move to the final step of provisioning. The drugwatchdog is informed of this closed state and securely relays thisinformation to the central database. Finally, the provisioning iscompleted when bio-identity information is successfully provisioned fromthe drug consumer and the dispensing device enters the provisionedstage. When it enters this stage, the central database is informed via asecure message exchange. Only when the dispensing device is in theprovisioned stage can the central database send a begin deployment tomove it into the deployment stage.

In this application bio-identity is defined as anything directly relatedto the drug consumer. Therefore, a person’s bio-identity can includebiometric information like fingerprints, facial recognition, voicerecognition, palm scan, deep vein scan, retina scan and any combinationof biomedical data. In this application biomedical data refers toinformation physically related to the drug consumer. For example, itwould include urinalysis results, heart rate results, EKG results, EEGresults, blood results, stool analysis, urine test strip results, salivaanalysis, tear drop analysis or many other possible identifiableparameters about the drug consumer. Additionally, biomedical orbiometric information could include photographic or video information.For example, an initial photograph might be used in front of a drugdispenser to confirm the visual identity of a drug consumer and thensubsequent photographs can be compared to it. In another example aphotograph might be taken of a drug consumer placing a pill in theirmouth this is biometric evidence of drug consumption in someembodiments. In another example a drug consumer takes a photograph of aurine test strip and provides that as a status result from taking theirmedication. When all the biometric and biomedical data has beencollected and confirmed to the drug watchdog’s satisfaction andconfiguration requirements, the dispensing device enters the provisionedstage.

Deployment stage is the process where the drug watchdog program executesthe dosage rule file by opening, reading, protecting and processing theinformation. The central database determines exactly when the dispensingdevice will enter the deployed stage by sending a secure messageindicating it can move to this final stage.

Executing can further involve setting up timers, triggers, hardwareinterrupts, events and other actions to guide the behaviour of thedispensing device. The guidelines and rules for the prescription aremanaged and enforced by the drug watchdog after the drugs are securedwithin the dispensing device. Deployment also includes the drug watchdogproviding tracking information for detected events that transpire on thedispensing device. The events can also be detected on other dispensingdevices connected to a central database. For example, whenever drugs areconsumed, drug low warning messages, dispensing device power issues andmany others. Further details on these messages are provided herein.

Authorized health support workers can then see these messages on aconnected interface and be warned of alerts when series issues arise.The drugs that are placed in the dispensing device could be in solid, insome embodiments in liquid form, they could also be in a vapour form. Insome embodiments the drugs are tablets or in other embodiments the pillsare capsules. The capabilities and different types of dispensing deviceswill provide for a myriad of possible embodiments depending the type ofdrugs that need to be dispensed.

For the authorization stage, there are several authorization embodimentsto confirm which health care professionals are allowed access to thedrug monitoring system. The following are just a few of the embodimentsthat can exist when deploying the system.

In one embodiment a certified doctor and a certified pharmacist aredirectly granted rights through the creation of a login and passwordaccess. This could be done in a private institution, like a hospital,health clinic, drug trial program a seniors’ home or in many otherembodiments. In another embodiment, the company running thecloud-service offering hosting the central database verifies everyperson before creating an authorized login and password for them. Inthese embodiments, one or both involved of the drug prescriber and drugdispenser will log into a central database to have their credentialsconfirmed.

Once authorized, the doctor might initiate the provisioning processwhich starts with accessing a user interface (UI) for the creation of adosage rule file and the pharmacist completes the dosage rule filebefore it is loaded onto the dispensing device. Either of theseindividuals can then extend a limited authorization to one or morehealth care worker to see tracking information and to receive alertsfrom the dispensing device for a given drug consumer.

In another embodiment an e-prescription system like PrescribeIT™ inCanada, is used by the certified doctor and the certified pharmacist toestablish a prescription for the patient. In the United States moreregionally-based and product-based solutions for e-prescribing are usedlike the SilconMesa’s solution called DrFirst EPCS Gold 2.0, AllscriptsHealthcare Solutions, AdvancedMD, AllegianceMD and many more. Onceauthorized, the provisioning stage can begin with the building of thedosage rule file by interfacing to the e-prescribing software to extractthe prescription information to sending it securely to the correctdispensing device using the central database. A national service likePrescribeIT™ in Canada is created by using information from governingbodies for doctors and pharmacists to ensure every person in thee-Prescribing system is authorized. In these embodiments the doctor may,or may not initially be involved with the use of the e-Prescribingservice. In this embodiment the pharmacist would then use theircredentials to create and finish of the dosage rule file on their own.The pharmacist can also add security access information for the doctorand other health care providers through the dosage rule file before itis loaded onto the dispensing device.

In another embodiment there are no legal credentials held by the centraldatabase. In one embodiment the pharmacist connects a dispensing deviceto their computer to establish the authentication stage. With thedispensing device attached they are able to login to the centraldatabase by the fact that the dispensing device user has a known,verified dispensing device attached. In this embodiment the centraldatabase is then able to communicate to the dispensing device throughthe user’s computer. This conversation then allows interrogation of thedispensing device to ensure it is known and available for deployment toa new user. This person can then create a login/password for themselvesto access information for this specific dispensing device. In someembodiments, if this dispensing device owner then uses a consistentlogin/password they can see all the dispensing devices they have usedthis same authentication process with.

Once authenticated using this embodiment, the authorized user can thenstart the provisioning stage. The first step in provisioning isaccessing a UI for the creation a dosage rule file. They also can addother people who can change the dosage rule file and see the trackinginformation. In this embodiment any person can use the dispensing deviceto manage drug consumption and monitor that drug consumption for apatient. As mentioned, this could be a health care work, a child, aspouse or a loved one caring for a sick friend. They might even addinformation about the insurance company providing the financial supportfor the medication so that certain limited information can be providedback to them. Such management might be very important for a person withAlzheimer’s disease for example.

The next embodiment is similar to the previous example. In thisembodiment there is also no credentials kept on the central database.The pharmacist or loved one connects a dispensing device to theircomputer and then only talks to the dispensing device from their owncomputer. The authentication stage is employed by creating a securelogin/password access to this dispensing device. If a login has alreadybeen created, they can re-enter this same login value to gain access. Inthe case of a non-professional health care or loved one using thedispensing device a bypass password can be created. If the dispensingdevice is totally empty of drugs then perhaps after a few failures thedispensing device would open regardless.

In this embodiment, the first steps of provisioning involve the personbuilding the dosage rule file directly on the dispensing device. In turnthe dispensing device talks to the central database on their behalf toupload the dosage rule file. As in other embodiments, the user can thenadd additional people to see the contents of this dispensing device.This could also include providing the additional users with their ownlogin/password to view data and messages generated by this dispensingdevice on the central database. The central database verifies all theinformation and the state of the dispensing device before allowing it tobe opened. In this embodiment any person can use the dispensing deviceto manage drug consumption and monitor that drug consumption for apatient. As mentioned, this could be a health care work, a child, aspouse or a loved one caring for a sick friend. Such management might bevery important for a person with Alzheimer’s disease for example. Theseand other embodiments are possible when following the steps laid out inthis drug management system.

In another embodiment of authentication, the person using the dispensingdevice connects to the central database and enters a piece of requiredidentification information associated to the dispensing device. Thiscould be a serial number, a unique code or a manufactured identifier onthe dispensing device. The central database first verifies theidentification information and attempts to communicate to the dispensingdevice over a cellular network. In this embodiment the dispensing devicesupports a wide area cellular network communication, a private wirelesslocal area network, or a public access WiFi addressable location.

When communication is established it sends a message to the dispensingdevice to immediately perform a change in state. In some embodiments,this change in state could be to illuminate some LED lights in a uniquepattern, in other embodiments it could be to make a series of beeps andin another embodiment it could display a number on a screen or someother action that requires a visual confirmation. The person planning onusing the dispensing device can then enter the unique change in statepresented by the dispensing device at the central database to pass theauthentication stage. If their input matches what the central databasehas sent to the dispensing device, they are considered authenticated andcan work with that dispensing device to start provisioning and create adosage rule file.

In some embodiments this change in state could be performed more thanonce to ensure the person who has logged onto the central database isindeed in possession of a valid dispensing device. Once the personfinishes the dosage rule file it can be downloaded to the dispensingdevice and the dispensing device will open for the loading of the drugs.Once closed a bio-identity input can then be collected and verified andthe dispensing device can enter the provisioned stage. Only in theprovisioned stage can the central database can move the drug watchdoginto the deployed stage.

The overall system operation is controlled through a shared centraldatabase that tracks a dispensing device and allows the owner of thedispensing device to monitor drug consumption. In some embodiments thesystem is used by certified drug prescribers and drug dispensers.Different embodiments will be illustrated showing how drug prescribersand drug dispensers can coordinate their activities to create a safe andsecure system for prescribing drugs. In these embodiments thecoordination between prescribers and dispensers is essential whendealing with high risk drugs. In other embodiments the owner of adispensing device can be anyone offering support services to a drugconsumer. In these embodiments the drug consumer might have need foradvanced control and monitoring of all drug consumption for greaterprotection. For example, in the case of a person with Alzheimer’sdisease, an addict, even a young child, or a teenager where suchprotections could save their life.

In those embodiments where a drug prescriber is involved in the systemthey could be a nurse practitioner, a dentist, a physician, optometrist,pharmacist, or other persons who are authorized to issue a prescriptionWithin this application when the term prescriber or drug prescriber areused they refer to any person that has authority to prescribe drugs to apatient. However, the system is flexible so that the drug prescriberdoes not have to be involved at the initial stage of drug prescribing.In some embodiments the drug prescriber might use legacy methods toprovide a prescription to a drug consumer. In turn the drug consumerseeks out a drug dispenser to receive the prescribed drugs.

In many embodiments these prescriptions are filled by a drug dispenser,which could be a doctor, a pharmacist, a dentist, emergency medicaltechnician (EMT), home care aides, midwife, nurse or other individualswho are authorized to fill a prescription or dispense drugs. In someembodiments the system is used by a person acting as a proxy for thedrug dispenser in order to provide additional protection for a patient.In these embodiments this person might be a health care worker, a familymember or a relative taking care of a patient. In these embodiments theuser of the system might have received a prescription from a pharmacistand has placed this prescription within a dispensing device on behalf ofthe drug consumer.

Within this application when the term dispenser or drug dispenser areused, they can refer to any person that is authorized to provide andmonitor the physical drugs to a patient. The person could be working ina professional and registered capacity, or they could be working onbehalf of drug consumer to help protect them from inappropriate drugconsumption. The drug prescriber and the drug dispenser are both focusedon managing a patient. Patients are individuals that are in need of (orclaim to be in need of) having a drug prescribed and/or dispensed tothem. In this application the patient needing drugs can be referred toas a drug consumer.

A shared central database (“central database”) is defined as a commonhub where prescribers and dispensers coordinate their activities. Inthis application the term central database and central server can bothbe used to refer to the control point for all dispensing devices.Effectively the central server houses the central database in acomputing environment. The central database may also work in conjunctionwith a regional or national e-prescribing system like the PrescribeIT™system. The central database could also be behind a secure firewall,e.g., within a pharmacy or within a doctor’s office. This could bewithin a hospital or running as a cloud-computer service offering.Wherever the central database is located the prescribers and thedispensers have secure access where prescriptions for drug consumers andtracking information on their consumption are securely stored.

In one embodiment the shared database is implemented as a web servicecapable of allowing Internet web browsers to access an interface tosubmit, examine and execute prescriptions and consumption information.In one embodiment customized Electronic Medical Record (EMR) softwarewithin a doctor’s office and Pharmacy Management Software (PMS) within aPharmacy can inter-communicate with the central database to uploadprescriptions that can be used for dosage rule files. These same linksalso allow status, alerts and feedback information to be sent back tothe EMR and PMS systems to help track and monitor drug consumers.

In another embodiment a central database is populated with authorizedindividuals from an organization like the College of Physicians andSurgeons of Ontario (CPSO), or Health Canada, the Medical Counsel ofCanada, U.S. Department of Health and Medical Services, American Collegeof Physicians or similar regulatory bodies around the world. In thisembodiment this master database is a starting point for any prescriberor dispenser to acquire and create an authorization login to the centraldatabase. In another embodiment a hospital might establish who hasprivileges to prescribe and dispense drugs. In this embodiment internaladministrative hospital staff might populate the central database foruse within the hospital for prescribers and dispensers that havehospital privileges. In another embodiment the drug watchdog on thedispensing device creates login rights for the drug prescribers and drugdispensers. In this embodiment the drug watchdog running on thedispensing device acts as an extension of the central database to ensureproper authentication procedures are followed. In this embodiment thedrug dispenser creates one or more authorization login privileges withinthe dispensing device when it is first provisioned for use by a drugconsumer. Then the dispensing device securely uploads theseauthorization logins to the central database for later use by drugprescribers, drug dispensers and other health care professionals.

In another embodiment login privileges and authentication is establishedby the system when a drug prescriber and drug dispenser match theiridentity with a list of all known identities within the centraldatabase. Once populated with information as described earlier theprescriber and dispenser provides several matching information elements.In some embodiments the matching information could include one or moreof their full name, practise name and address. In other embodiments itcould also include a license to practise identifier and/or login code.

Once a drug prescriber or drug dispenser is identified there could beadditional security requirements to further protect against fraud,identity theft and attempts to abuse the system. In some embodimentsadditional security questions might be required that only the prescriberor dispenser would be able to answer. For example, in this embodimentthey might be asked to input the street name they were born on, the nameof their first school or the name of their first pet. These and otherpersonal questions provide a unique way to hamper someone trying tosteal or abuse another person’s login.

In another embodiment the prescriber or dispenser would be required toprovide a biometric using either the dispensing device’s biometricreader, or through a compatible biometric reader. In these embodiments afingerprint, retina scan, facial scan or some other biometric valuewould be taken at the local location and uploaded to the centraldatabase. Once uploaded it is added to the login credentials and eachtime the prescriber or dispenser login they have to provide the samebiometric. Each time the prescriber’s or dispenser’s identity is matchedthey become an authorized user within the central database system.

Once authentication is established, the first step of provisioningstarts with the creation and management of the prescription andconfiguration information for the dispensing device. The creation isfacilitated through a UI provided to one or more of the owners of thedispensing device. This information is collected into a single filecalled the “dosage rule file’ within this application. Althoughtraditionally seen as a physical file this might also be viewed as acollection of information that is exchanged in a message as a singleparsable message.

In an example embodiment, a Java Object Notation (JSON) message carryingall the elements of the dosage rule file is exchanged between thecentral database and the dispensing device.

There are several embodiments for the creation, management andmodification of the dosage rule file. In one embodiment the dosage rulefile is created within the dispensing device by the drug dispenser atthe time of provisioning for a drug consumer. In another embodiment thedosage rule file is created by the drug dispenser on the centraldatabase and downloaded securely to the dispensing device. In anotherembodiment a drug prescriber creates the dosage rule file on the centraldatabase, and it is later located by a drug dispenser and downloaded tothe dispensing device.

However the dosage rule file is created, it will contain informationrelated to the prescription, how the drugs should be taken and a set ofconfiguration settings for how the dispensing device should work withthe drugs. The table 1 illustrates some illustrative examples of thefields and values within the dosage rule file.

TABLE 1 Name of Drug Rx Identification Commonly Used Drug Name SecondaryName Prescriber’s Name, Address, Phone Contact Information Prescriber’sOfficial ID reference number From Oversight Body Patient Name, Address,Phone Identification of Patient Patient Email or Cell Number Alerts forPatient Allowed Patient Health Card Number SIN (Canada) or SSN (USA)Dosage, strength information Perhaps Specific Drug Frequency of doseguidelines Times per day Specific Dosing Time for Each Slot Array ofSlot actions Start time for Drug Dispensing Day: Hour: Minute Number ofpill per dose 1 to ‘N’ pills per dose Minimum spacing for each dose Min.Gap time (used for ‘extra’ dosage) Sleep hours to avoid dosage ‘hh:mm’to ‘hh:mm’ times spread Picture is required for final provisioning OfPicture input required in file for patient Picture approval requiredFrequency of approval (days, weeks, month) Picture is required at everydose taken picture proof is required to get more drugs Extra DosageAllowed - Patient driven Number per day Time needed between two dosesMinutes or hours Maximum doses allow Max total per day Should continuousmissed doses halt further usage? Yes or No IF YES: Number of continuousdoses missed before halting? Number of doses (numeric value) How longafter notification before considering drug missed? <Hours and Minutes,i.e. XX : YY> Maximum Refills Allowed May allow auto refill Food, Drinkand Empty Stomach guidelines Important Requirements General Comments forPatient on Usage Comments for Printing Maximum dose before refillallowed Overlap guidelines Minimum remaining before warning Warninglight turns on Send Warning Message if dose missed? Yes or No Max Timeafter missed dose for a message Minutes or Hours Identification of DrugDispenser - if known Name and ID of person Password for Drug PrescriberAnd Contact Info Password for Drug Dispenser And Contact Info Passwordfor Other Health Support And Contact Info Drug Insurer Information,Update Permission Email Address for Information Details about DrugDispenser License Number, etc. <Other Various Configuration Choices><Many Embodiments>

This is an example of a set of configuration elements that can beencoded in a dosage rule file. There are many other embodiments for thetypes of fields that could be present within the dosage rule file andavailable to a drug prescriber to select from.

Once connected to the central database the drug prescriber device willhave an interface to guide them to fill in the necessary information.This includes a help menu in case there is any confusion on the fieldsprovided. In some embodiments some of the fields will be optional, forexample if the prescriber answers no to the question: ‘Send WarningMessage if dose missed?’ then they will not have to answer the question“max time after missed dose for a message”. Not every possible field islisted in table 2, table 2 is illustrative of some of the expectedfields.

The authorized user for the dispensing device can also add otherauthorized users. As illustrated by table 1 the authorized user can adda drug prescriber, for example a doctor. It could also involve adding ahealthcare support worker, like a nurse or a person with power ofattorney. Further there could be insurer information added so that theinsurance company that is paying for this drug treatment is keptappraised of the patient’s compliance.

Various biometric and biomedical requirements can also be added to thedosage rule file. The example of a picture requirements is shown but thesystem could include urinalysis results, blood testing results (forexample a diabetic blood test), heart rate, EKG, EEG or many otherpossible tests. The system might require approval of the biomedicalinformation. This approval might come daily, weekly, monthly or in someembodiments after every single dose taken.

In some embodiments other more complex configuration options might beallowed perhaps related to location issues and GPS functionality. Theprescriber might need to understand if the drug consumer is roamingoutside of their city or country.

Fields like the dosage, the frequency of use, maximum drugs remainingbefore refill, sending a warning message if a dose is missed and similarconfiguration elements will be used by the dispensing device to helpguide its behaviour. The dosage rule file contains all the fields foundwithin a drug prescription but with certain additional components tosupport function of the dispensing device.

In some embodiments the exact time and action for every available slotor drug within the dispensing device is carefully listed to guide everyaction on every given day. Also shown in this example is the actualstart time when dispensing should commence.

In some embodiments the drug prescriber or the drug dispenser must haltall drug consumption if too many continuous doses of the drug have beenmissed. In this embodiment the drug consumer has failed to perform thenecessary bio-identification procedure to extract the drugs when thedispensing device has informed them their dose is due. The dosage rulefile can also indicate the length of time that must pass before theavailable drug doses is considered missed. In some embodiments thedosage rule file also contains separate access codes or passwords forviewing information provided by the dispensing device at the centraldatabase. In some embodiments this could include a login and passwordand in other embodiments just a password. In some embodiments an emailaddress, cell phone number or other contact numbers could be present. Inthese embodiments when email addresses or cell phone numbers are presentit is possible to send alert messages and alarms to a wide range ofhealth care providers if something were to go wrong with the dispensingdevice or the drug consumer working with the dispensing device.

Additionally, in some embodiments the dosage rule file can containlicense and tracking information on the drug dispenser. In severalembodiments that follow the drug dispenser holds a great deal of powerand trust in the deploying all forms of drugs and in some embodimentshigh-risk drugs. Inputting this information can also assist in allowinga drug dispenser to see all the dispensing devices they have deployed inthe field.

The dosage rule file is also linked to a specific drug consumer viatheir unique identification. In Canada for example this identificationcould be their health card number, a passport number, a driver’s licenseor even a social insurance number (SIN). In the USA, for example, thiscould be a drug consumer’s social security number (SSN), a driver’slicense, a state issued identity card, an insurance health card numberor even a passport number. This identification can be used in a varietyof embodiments within the system. In some embodiments this number willbe used by the drug dispenser to locate a dosage rule file created by adrug prescriber when requested by the drug consumer trying to get theirprescription filled.

In other embodiments the identity information can be used to ensure thissame drug consumer does not try to thwart the system and go to multipledrug dispensers to get their prescription filled multiple times. Inother embodiments this identification is used to ensure the same patienthas multiple dispensers to enable the hot-swap option for ensuring acontinuous drug supply. In other embodiments this identity is also usedby governing bodies or government agencies to confirm who is usingcertain kinds of high-risk drugs. Contact identification like an emailaddress and cell phone number could also be present so the system canalert the patient should their drugs be getting low and they have failedto take notice of the warning provided by the dispensing device. Otheralerts could be sent to indicate the power on the dispensing device islow and it needs to be plugged in for recharging.

In some embodiments a drug consumer might not have properidentification. Perhaps they are homeless, they do not haveidentification with photo and address information present, they could bea new immigrant, or not have official ID for many other possiblereasons. In this embodiment it is possible for the drug prescriber topossess a dispensing device or a compatible biometric reader for thesole purpose of taking a biometric from the drug consumer and uploadingit to the central database. The biometric then becomes associated withthe dosage rule file and in some embodiments, it gets uploaded to thedispensing device for drug dosage authorization. Once this is done thedrug consumer will perform the same step at the drug dispenser’slocation in order to be matched to a dosage rule file. In severe casesof drug abuse and drug addiction these types of extreme measures arenecessary to reduce abuse associated with high risk drugs. In otherembodiments the system requires that a biometric be taken from everydrug consumer and uploaded by the drug prescriber.

In other embodiments the drug prescriber only takes the information theycan easily acquire, even just a name of the drug consumer. However, inthis embodiment the drug dispenser will always take a biometric and thecentral database must scan all current and past dosage rule files toensure this drug consumer is not trying to abuse the system.

Another element of the system is when the drug consumer picks a drugdispenser to fill their prescription and locate or create their dosagerule file. In some embodiments the drug dispenser works directly with adispensing device to create the dosage rule file with the informationprovided by the drug prescriber. In some embodiments the originalprescription from the doctor was on a handwritten prescription pad, inother embodiments this could be a computer printed prescription from thedoctor’s office. In this embodiment after completing the dosage rulefile on the dispensing device, the dispensing device will upload thisinformation to the central database once the drug dispenser finishes thefull provisioning of the dispensing device and it enters the provisionedstage.

In other embodiments the drug dispenser has created login rights at thecentral database and will create the dosage rule file directly withinthe central database. In this embodiment once the dosage rule file iscreated, it is securely downloaded to the dispensing device.

In some embodiments the dispensing device is connected to the drugdispenser’s computer and in other embodiments the information isreceived via another communication path. In some embodiments the drugdispenser has created the dosage rule file on the central database andhas been pre-selected by the drug prescriber. In this embodiment thedrug dispenser could have a list of dosage rule files under their loginname already.

In those embodiments where the drug dispenser has to find a dosage rulefile on the central database, they will search for the dosage rule filein several ways. In one embodiment, they might search for the partiallybuilt dosage rule file by using the drug prescriber’s name or specialidentification number given to them by the drug consumer. In anotherembodiment they use the drug consumer’s name or specific identificationto search for all dosage rule files listed to this drug consumer. Inanother embodiment they can search using both the drug prescriber andthe drug consumer’s information. In another embodiment they take thebiometric of the drug consumer and it matches the biometric to thedosage rule file. In yet another embodiment the dosage rule file isautomatically posted to the drug dispenser’s login profile by the drugprescriber at the request of the drug consumer.

There are several embodiments that allow the central database todetermine how a drugs within dispensing devices can be assigned to drugconsumers. Since the dispensing device and central database keep trackof all dosage rule files in all dispensing devices, and the drugscontained within the dispensing devices it takes full charge of thedispensing device’s activities.

In one embodiment, a drug consumer can not take their dosage rule fileor a dispensing device to another drug dispenser to get refilled. Inother embodiment, the drug consumer can also not take their prescriptionto another drug dispenser to have it filled as they will be flagged bythe central database and it will not let the drug dispenser proceed withprovisioning.

In another embodiment, the drug consumer is able to be in possession oftwo or more dispensing devices with the same drug in them. In thisembodiment only one dispensing device actively deployed and dispensingdrugs for them. Once the first dispensing device is empty of all drugswould the second dispensing device receive a command from the centraldatabase to deploy. Once deployed it will then take over and providedrugs to the drug consumer, thus ensuring a continuous supply of drugs.This process is called the hot-swap method and the central database whocounts and tracks all drug consumption (taken and missed doses), cancontrol this operation.

With the drug dispenser selected, dosage rule file downloaded, and thedrugs loaded, the drug consumer must provide a bio-identity to the drugdispenser to complete the provisioning process. In some embodiment partor all of the bio-identity already associated with the dosage rule filewhen the biometric was taken for initial drug consumer identification.In these embodiments the biometric could be uploaded and used by thedispensing device. In other embodiments the drug consumer must manuallyenter their bio-identity into the dispensing device with the drugdispenser watching. This bio-identity will be used later to allow accessto their daily dose of drugs held within the dispensing device.

When the drug watchdog is running on a separate computer from the drugdispensing device the biometric will be collected on the computerrunning the drug watchdog to allow authorization of all drugs to beextracted.

In some embodiments the bio-identity could be only a biometric and inother embodiments it could include biomedical information. Examples ofbiometric data would include a fingerprint, retina scan, heart rhythm orsome other unique property that is inherent to the drug consumer. Inother embodiments the drug consumer could have a sub-dermal implant thatprovides a unique identification held only by that person. Many otherembodiments are possible including facial recognition, vein scan andother bio-centric techniques.

To change dispensing devices for a specific prescription the drugconsumer would have to get the same drug prescriber involved who createdthe dosage rule file in the first place. The drug prescriber will assistin releasing their relationship to any current dispensing devices and aspecific drug dispenser. In some embodiments where the dispensing devicedevelops a mechanical problem or defect the drug dispenser can swap theexisting drugs between dispensing devices within their secure location.

In some embodiments the bio-identity will use a secure enclave methodfor storing and matching the biometric. In some embodiments a biometricenrollment method is used to extract key identifying features of theindividual from his or her biometric input. An algorithm can then bebuilt from original input and used to confirm subsequent biometricinputs on that system. In this embodiment, a new input is simplyprovided to the biometric algorithm, that encapsulates the keyidentifying features of that individual, for reconfirmation that thebiometric matches the original. In this embodiment the biometric itselfis not stored on the dispensing device, just an algorithm that iscreated by the original biometric. When this algorithm is executed withinput from the biometric reader it produces a match or no match answer.This method can be used by smartphone and small devices with limitedcomputing resources and a high need for security.

In another embodiment the original biometric is stored in a secureenclave and protected from tampering. Then when subsequent biometricinputs are received, they can be passed to the secure enclave whoperforms hidden operations on the biometric to match the two. The secureenclave is tamper-proof to protect the data elements storing the drugconsumers identity.

Once deployed the drug watchdog and dispensing device cannot bereassigned through another drug dispenser or to any other location.There could be a dangerous collection of drugs within the dispensingdevice and these are the responsibility of the drug dispenser. In thoseembodiments where the drug watchdog is running on a separate computersystem, it is possible for one drug watchdog to manage several dosagerule files with corresponding drug dispensing equipment. In this exampleconfiguration the drug watchdog associates a dosage rule file to aspecific piece of drug dispensing equipment and maintains a securerelationship with that drug dispensing equipment separately from allothers. These separate, secure relationships are used to ensure accurateof drug consumption through the drug dispensing equipment.

In some embodiments the drug watchdog protects the dosage rule file (orthe information that makes up the dosage rule file information) andkeeps it encrypted when stored on the dispensing device. This ‘at rest’encryption might use a dynamically generated encryption key held withina secure enclave. It could also receive an ‘at rest’ encryption key fromthe server over that secure link. In these embodiments, it is onlydecrypted when it is in active use to dispense drugs.

In other embodiments the dosage rule file can be encrypted usingencryption keys linked to the dispensing device identification. Theencryption limits and restricts all access to the dosage rule file byother programs and an attempt to hack into the dispensing device tomodify the dosage rule file would fail as the stored copy of the dosagerule file is encrypted. Attempts to modify the dosage rule file wouldresult in damage and a new copy (also encrypted) would have to bedownloaded from the central database.

In other embodiments where the drug watchdog is running on a dispensingdevice with other programs doing additional operations, the drugwatchdog will stop and block any read, write, delete or modify actionsby these programs. The drug watchdog can also report on all activitiesrelated to the dispensing device itself. This includes when it dispensesdrugs and any attempts to break into the tamper-proof area that holdsthe drugs, or unauthorized activity monitored by the watchdog software.In some embodiments the watchdog software reports back on the GPSlocation and if the drug consumer fails to take their drugs or if thedispensing device has been tampered with it can report back with awarning that something could be wrong. Cellular connections as discussedabove are established in several ways.

In other embodiments the secure connection is created via an onboardcellular connection that is possible over 3G and 4G networks. In theseembodiments embedded cellular OEM chipsets are used to provide 3G, 4G,LTE and WiFi (802.11) type communication options to the dispensingdevice. In other embodiments the drug watchdog is contained within awearable lanyard or support device which contains the 3G and 4G cellularlink equipment. In other embodiments a cellular phone is running thedrug watchdog and it supports 3G and 4G communications back to thecentral database. In yet other embodiments a smart watch or wearablecomputer is running the drug watchdog and it is controlling the drugdispensing equipment.

In some embodiments these options are important when a drug consumertakes the dispensing device with them from the drug dispensing location.In these embodiments the drug consumer may or may not have connectivityat home or may be homeless. These cellular methods can be used inconjunction with USB or Bluetooth connections or as an alternative. Insome embodiment even if the dispensing device is connected via USB orBluetooth to a drug dispenser’s computer it still opens a securecellular connection and uses both the cellular connection and thecomputer connection to provide verification over two connection routes.These embodiments exist to further reduce efforts to thwart the systemand reduce abuse by drug consumer to take more drugs then they areprescribed.

When it is time to reload the dispensing device, it must be empty ornearly empty of all drugs and not currently deployed for a drugconsumer. Since the number of physical drugs entered matches theprescription, the drug watchdog and the central database know preciselywhen the drugs contained in the dispensing device are completed. In someembodiments, the dosage rule file will allow for some overlap, to allowfor “topping up” the number of drugs in the dispensing device to ensurea drug consumer does not run out. The overlap would be configurable, andin many embodiments might be a single digit number from 0 to 9 forexample.

In other embodiments the central database allows the consumer to havetwo or more dispensing devices with the exact same drug in them. Thecentral database, who is tracking every drug consumed or missed,determines when the first dispensing device is empty of drugs willdeploy the second dispensing device for active use.

There are also embodiments where any unused drugs might be as a resultof skipping one or more doses on a given day. The drug prescriber mightrequire these drugs to be accounted for and the drug consumer is notallowed to have additional medication. This information can be encodedin the dosage rule file and the drug watchdog detects the missed dosesand can halt the deployment of the dispensing device if the drugconsumer does not follow the dosing guidelines. In these embodiments,where drugs are left over in the dispensing device when it is returned,it is up to the drug dispenser to decide whether to destroy these drugsor include them in the next refill of the dispensing device and reducethe overall amount added.

The central database will keep track of the number of dosages itactually ejects (has remaining) for a drug consumer and will be able tonotice anomalies in the totals. Any such irregularities can then bereported to government officials to act upon, should a drug dispenser besuspect of not following drug consumption and drug dispensingguidelines. Drug dispensers will not be allowed to destroy drugscontained within the dispensing device. The drug dispenser will beallowed to ‘top up’ the existing amount to match the next dosagerequirements or they will have to send the leftover drugs back to themanufacturer for destruction.

In those embodiments where the drug dispenser connects to the centraldatabase from their computer, they might use a public network like theInternet. In those embodiments where a public network like the Internetis used a secure socket layer (SSL) connection might be initially usedto create a private and secure link to the central database. On top ofthe SSL connection the central database and drug watchdog can establishtheir own private security method for enhanced security. If an Internetweb browser is used a special extension to the browser could be used tofacilitate this conversation between the computer and the dispensingdevice.

An encryption process is deployed between the central database and thedrug watchdog to encrypt the dosage rule file before it is exchangebetween the central database and the drug watchdog. As mentioned in someembodiments the central database sends the dosage rule file to thecentral database and in other embodiments it receives the dosage rulefile from the central database. In embodiments where the drug watchdogis running on a separate computer, the encryption method can be extendeddirectly to the drug dispensing equipment

Depending on the embodiment several different types of encryption couldbe implemented using different processes that best match therequirements of the system. This encryption technique, built at theapplication layer, creates a strong bond and encoded link between thedispensing device and the central database. This level of security alsoprovides a higher level of protection for the dosage rule file and allthe messages exchanged between the central database and the dispensingdevice. In some embodiments this allows the drug watchdog to keep theinformation in an encrypted state to protect it from malicious softwareor other hacking methods. Such a security strategy can be used on top ofother lower-level security methods like Secure Sockets Layer (SSL) usingboth server and client certificates are commonly used to provide verysecure communications.

When additional security is required there are many embodiments toimplementing a proprietary solution. For example, in one embodimentpublic-key cryptography might be used. In this embodiment the centraldatabase holds the public key for all deployed dispensing devices thatare manufactured and released for sale. In this embodiment when the drugwatchdog first initializes it detects the lack of a public/private keypair and generates one using several possible embodiments to create alarge prime number needed in the generation of the asymmetric encryptionkeys.

In one embodiment it starts with a number derived from its serial numberto search for a large prime number. In another embodiment it might use anumber found on its subscriber identity module (SIM) card, like theinternational mobile subscriber identity value (IMSI) as a startingpoint to find a large prime number. Then the manufacturer provides thedispensing device’s public key to the central database as eachdispensing device is built, tested and entered into the system. Thispublic key is then associated to a specific dispensing device via itsunique identifier or serial number. This then allows the centraldatabase to send encrypted messages to a specific device when it isselected for use. Similarly, the public key for the central database isprovided to the dispensing device so it can encode messages sent to thecentral database. This embodiment for encryption would be useful toimplement if the system wanted to use a cellular method for provisioningthe dispensing device without connecting it to a drug dispenser’scomputer. The encryption might involve an agile encryption methodology.In this embodiment there might be several different types of encryptionmethods to encrypt the data using the public/private key pair. The typeof encryption selected might be numbered or change periodically to avoidbeing discovered.

In another embodiment a seed value might be used to negotiate a sharedsymmetric key between the two ends. The seed value might be extractedfrom the computer connecting the dispensing device and the centraldatabase for example. In those embodiments where the drug watchdog runson a separate computer, the seed value might come from the drugdispensing equipment and it is known to the central database in advance.In another embodiment the seed value is a serial number of thedispensing device that has also been provided to the central database.In this embodiment the seed value would then be used to negotiate asymmetric encryption key used to exchange information. Such seed valuesare used with negotiation protocols like Diffie-Hellman, SSH (SecureShell), quantum-safe cryptography and SPEKE (Simple Password ExponentialKey Exchange). This embodiment is useful when a computer connection overUSB is used to ensure the dispensing device is in a safe and enclosedenvironment before provisioning with drug. In all cases whether theencryption keys are created during manufacturing, negotiated usingvarious seed values or created based on identification information heldwithin the dispensing device they are always linked or selected based onthe specific dispensing device selected to receive a given dosage rulefile for a drug consumer.

Once the dosage rule file information is loaded into the dispensingdevice the drug dispenser can review the information within the dosagerule file at any time. This information will include comments andsuggestions from the drug prescriber, dosage information, frequency ofdrug consumption and any other relevant information. In some embodimentssome of this information can be printed off or copied out in order topopulate the dispensing device with the correct dosage of drugs.

In some embodiments this information from the dosage rule file isincluded with all the dosage instructions, drug side effects and warninginformation for the drug consumer. In other embodiments the drugdispenser can print off information for the drug consumer and affix aprescription brief on the dispensing device, like affixing instructionsonto a pill bottle. With the dosage rule file successfully downloaded,the first step in provisioning allows the dispensing device to be openedand loaded with the drugs matching the dosage rule file.

In some embodiments, a portion of the total drugs defined by theprescription are loaded into the dispensing device, for example just aweek supply of the drugs. In some embodiments each drug is identifiedand will be confirmed as it enters the dispensing device. This mightinvolve bar code scanning, using an outer covering with bar codeinformation or other simpler detection mechanisms. The drugs could alsobe enclosed in a small package that contains a low-frequency RFID tagthat can be detected and read by the dispensing device. Once loaded thedispensing device can be closed.

With all these setup steps completed the drug watchdog takes charge ofthe dosage rule file parameters and moves to the final step ofprovisioning. To be capable of entering deployment, the drug dispensermust successfully acquire and provision bio-identity information fromthe drug consumer. In some embodiments this can focus on biometricinformation and in other embodiments biomedical information can berequired from the drug consumer. This biometric information could bebiometrics like facial recognition or fingerprint data. In someembodiment this could be voice recognition, deep palm or vein scans oreven retina scans. In some embodiments the provisioning of biometricdata involves the dispensing device confirming the biometric informationis correct by requesting the drug consumer to match the biometricinformation collected a few times before considering the biometric stagefully provisioned. Only when the central database is told by the drugwatchdog that bio-identity information has been confirmed, will thedispensing device enters the provisioned stage. In the provisioned stageit possible for the central database to send a begin deployment commandto begin the dispensing of drugs by the dispensing device. The centraldatabase makes the final decision when deployment is allowed for thedispensing device.

At different times additional biomedical information may also berequired before and during deployment. This information could be used toverify drug consumption or to determine overall health. This couldinclude urine analysis, heart rate results, EKG, EEG, blood test resultsand other information that must be provided. In some embodiments this isprovided directly to the dispensing device and in other embodiments itis provided to the central database through an external device andassociated to the dispensing device and drug consumer. In one example,this external machine could be an blood pressure machine capable ofexternal communications, or a person’s cell phone that has beenassociated to the drug consumer. In these embodiments where an externalmachine is used, the dispensing device would be given a message fromcentral database to finish the provisioning and enter the provisionedstage. The provisioned stage indicates that at any time the centraldatabase can send a begin deployment command to being the dispensing ofdrugs.

Once the biometric and biomedical information is collected andconfirmed, the dispensing device enters the provisioned stage. It isonly in this stage can the central database send a command to active thedeployment stage by the drug watchdog. Entering the deployment stageresults in the drug watchdog that is running on the dispensing device toenter normal operation based following the contents of the dosage rulefile. The dosage rule file contains a wide range of behaviouralinformation to control operation and trigger special situations relatedto the use of the dispensing device. The drug watchdog uses the timingsubsystem and other subsystems within the dispensing device to regulatethe correct consumption of drugs held in the device.

In some embodiments LED lights, auditory sounds, sending a message andvarious visual aids and displays are included to inform drug consumerswhen their next dose of drugs can be taken.

In some embodiments the drug consumer has provided cellular information,electronic mail addresses and other mechanisms that can be employed toalert them that a drug dose is ready for consumption. In theseembodiments one or more messages from the central database could be sentto inform the drug consumer of an important state change within thedispensing device. For example, a low power problem, an RF coverageproblem, a low drugs available warning as well as a next drug doseavailable indication.

In other embodiments the dispensing device has been configured to sendthe message directly to the drug consumer using the configuredcommunication mechanism. Communication methods like USB, Bluetooth, NFCand others could be employed to send a message to a cell phone, a smartwatch or some other type of computer-based device. In other embodimentsthe dosage rule file allows the drug consumer some flexibility if theyneed an extra dosage of drugs, with maximum amounts set and strictlyfollowed by the drug watchdog. These embodiments and many otherembodiments will be highlighted through the figures provided in thisapplication.

In some embodiments it is necessary for the drug prescriber to updatethe dosage rule file to change the dosage of the medication being taken.This embodiment occurs when a drug consumer and drug prescriber are incommunication and the drug consumer needs change their dosage amounts.For example, a patient might phone they doctor and ask for moremedication for pain relief or less pain medication for pain relief asthey are feeling better. In this embodiment the drug prescriber canchange the dosage rule file and request it as an update on the drugconsumer’s dispensing device. This is possible because the centraldatabase has a secure relationship with the dispensing device, even whenthe dispensing device has been deployed and is being used in the field.In some embodiments the change could be delivered near real-time to thedispensing device. In other embodiments there could be check-inintervals. These embodiments are all possible based on the design of thecommunications link between the central database and the dispensingdevice.

For example, if the dispensing device supports a cellular connection,the drug watchdog can checks-in at regular intervals to the centraldatabase to request updates and upload any status information. Duringone of these check-ins the central database can securely send an updateddosage rule file to the drug watchdog on the dispensing device once aconnection is established. In other embodiments the cellular link isalways open and exchanging information. In other embodiments where thedispensing device is using a USB connection and is being plugged in acomputer each evening for recharging, the update would be when thecomputer is activated and a connection can be established.

As mentioned during the deployment of the dispensing device a wide rangeof tracking messages are relayed to the central database over the secureconnection using the encryption keys selected. The messages include theexchange of the dosage rule file, including updates to the dosage rulefile. In those embodiments where a network like the Internet messageformats can be employed to carry these messages. Data exchanges in aformat called JavaScript Object Notation (JSON) can be used for deviceto device communication using HTTP or HTTPS.

In these embodiments in the header of the HTTP message the dispensingdevice identifier will be present for every message. This allows thecentral database to select the correct encryption key to decode themessage. In these embodiments the dispensing device acts as a clientdevice on the Internet and must initiate communication to the centraldatabase running as the server. Responses to HTTP queries must beencoded using the correct encryption key for a specific dispensingdevice. Security is maintained as the payload of the message will not beintelligible when the sending does not have the correct encryption keys.In other embodiments other data payload formats can be used to carry thedispensing device identification value in front of all other encrypteddata. Similarly, the dispensing device identification would be leftunencrypted in these other methods to provide a method to lookup theencryption key.

All exchanged messages would have several categories depending on thenature of the message and its intent. Table 2 below shows one embodimentfor the division of the messages and their categorization. In thisembodiment each message will be built with four distinct components asillustrated in table 2 below: <device identifier><message-version><message-length><payload data>

TABLE 2 Header Device Identifier / Serial Number Message Version MessageLength Message Priority Message Payload Code Meaning Data ElementsPriority Sent by Central Database A-1 Start Provisioning process Dosageparameters for provisioning, opens main compartment Medium A-2 Eraselegacy data, clean system Data to erase (dosage rule file and/ortracking data) High A-3 Download of drug monitor required Timeparameters, new release number High A-4 Drug monitor program data Encodeand compressed device code High A-5 Update to dosage parameters Updateparameters, change state diagram, do NOT open main compartment High A-6Configuration Started Returns back status, contains High count ofremaining drugs A-7 Display LED Pattern for verification Displays for 30seconds, sends confirmation back High A-8 Overrule Requested,immediately Sends back confirmation and totals of drugs inside High A-9Biomedical Input Received Proceed to full Provisioned Stage, biomedicalinput validated High A-10 Biomedical Input Validated Biomedical datareceived has been approved High A- 11 Biomedical Input RejectedBiomedical data rejected, stop all provisioning High A-12 StartDeployment Start deployment, dispense drug following configuration HighA-13 Stop Deployment Stop deployment (many possible reasons) High A-14Force Drug Dose Forces the extraction of a drug dose (perhaps biometricfailure has occurred) High Received at Central Database B-1 PollMessage - any changes to report? Holds open TCP/IP connection ifpossible Low B-2 Dosage Rule File Contents present Encoded andcompressed dosage rule file Medium B - 3 Status message duringprovisioning Details on drug consumer, problems or issues (allow toopen, yes/no) Medium B - 4 Provisioned Stage Reached Number of Drugs indevice (bio-identity collected) Medium B - 5 Provisioning Started, doorclosed Number of Drugs in device (unit closed), waiting on bio-identitycollection Medium B - 6 Drug dose consumed Timing, delay to dose, drugsremaining Medium B - 7 Drug dose missed Elapsed time, time of day,location, other data Medium B - 8 Drug doses low Drugs remaining MediumB - 9 Drugs exhausted Total time since last dose High B - 10 Battery LowCurrent Battery Level Medium B - 11 Battery Dead Drugs remaining HighB - 12 Forced Entry Probability of success High B -1 3 Computer LoginSuccess or Failure High B - 14 Login Failures Total number of continuousfailures High B - 15 Login Blocked Max Failures High B - 16 OverruleResponse Opened Successfully, status and total drugs still inside HighB - 17 Biomedical Data Received Data and data type attached for reviewHigh B - 18 Stomach consumption info Time confirmation of actual drugingestion Medium B - 19 Photo of consumer Digital picture of drugconsumer at dosage Medium B - 20 Audio Played Time to Take Drugs messagePlayed Low C - 1 DEBUG Message Operational Issue, or code issue Low C -2 DEBUG Request Sever might request debug data from a part of memory?Low

Embodiments shown in Table 2 provide one example of a set of messages tobe exchanged between the drug watchdog running on the dispensing deviceand the central database. There will be messages that are sent by thecentral database, labelled as ‘A’ messages and messages to be receivedby the central database, labelled as ‘B’ messages. Additional messageclasses are also possible, for example class ‘C’ message are shown asDEBUG messages for solving low-level operational issues. In some cases amessage type might go in either direction, like the dosage rule filepayload present message. Each message carries a header with the messageversion, message length and a priority. In different embodiments thenumber and size of the data elements might vary. In other embodimentsthe data elements might use a compression algorithm to reduce theoverall size of the message and increase the efficiency of the system.When using cellular communications, it is always a consideration to havesmaller data payloads to increase success of message delivery. The finalmessages B-20, B-21 and B-22 are included for embodiments where thedispensing device supports advanced tracking and audio services.

A portion of the messages exchanged in table 2 relate to special eventsthat take place inside the dispensing device. These might includebattery low, battery exhausted, poor RF coverage or cellularcommunications, low drug levels and many others. In some embodiments toassist the drug consumer, the dispensing device can produce auditablesounds to help guide and warn the user of important issues. The soundscould be noises like beeps and rings, or it could be computer spokenwords or recordings.

For example, beeps or rings could be used for indicating the next drugdose is available, drugs in the dispensing device are running low, thebattery needs changing and other such issues. Such embodiments might bevaluable for an individual with a visual impartment that cannot see LEDlights blinking and flashing. In some embodiments the drug consumer hasprovided cellular phone numbers and email address information so thatalert messages can be sent to notify them of important statusinformation regarding their dispensing device. Messages could informthem that the dispensing device needs to be plugged in for recharging,or they need to replenish their drug supply or that a regular drug doseis ready for consumption are just a few examples of the messages thatcan be sent.

Some embodiments involve the bio-identity operations in the provisioningstage and in the deployment stage can include visual and biologicalinputs for verification in addition to biometric data. These inputs cantake place in many ways to help health care professionals determine howthe drug consumer is doing and whether they are taking theirmedications.

In some embodiments performing the biomedical steps can mean thedifference between receiving your next dose of drugs or not receivingthe next dose of drugs. In some embodiments the biomedical steps mightoccur when a drug consumer is initially provisioning their dispensingdevice. In other embodiments the biomedical input is required atdifferent stages of the drug dosage period. In other embodiments thebiomedical input is required both at the provisioning stage and the drugdosage period. There are several functions for these biomedical inputs.

For example, it could be possible to stop a drug consumer fromextracting their medication but then not actually taking the medication.The drug consumer might sell their medication (illegally) for money,storing smaller doses to combine into a larger dose, or they might beavoiding the medication. In another example the biomedical data mightindicate the drug consumer needs more medication or less medication todo have an improved impact and avoid any harm. Improving patientoutcomes is a goal of the health care field. If there are potential waysto maximize patient outcomes using a camera, or biomedical collectionmethods they are covered under these collection mechanisms.

In one biomedical embodiment the dispensing device can support theability to use additional resources to collect drug ingestinginformation to make decisions about drug access. In these embodimentsthe drugs being consumed have been formulated with additional chemicalcompounds that when ingested react with the acids within the stomach tocreate a signal. These compounds are in use today and can providefeedback to the dispensing device as to whether the drug consumer hasactually taken their drugs and not sold them for profit.

In this embodiment the dispensing device might use a communicationmethod like Bluetooth or Near Field Communication (NFC) to exchangemessages with a wearable device. The device to detect that consumptionhas taken place could be form of an advanced watch, a ring, a bracelet,a band around the stomach or belt detection device or any other itemthat is worn or is in close proximity to the body (referred to as a“wearable device”) to detect when a drug has been consumed and ingested.When dealing with addiction issues it is essential that maximum controlsbe in place to limit abuse. In another embodiment, the wearable devicemight communicate to a mobile device, and the mobile device can thenrelay the information with the drug consumer’s identification and thedispensing device’s identification to the central database. In anotherembodiment the wearable device might communicate to the central databaseitself.

In this embodiment the worn device can pick up the signal from thestomach during drug consumption. Thanks to the feedback and control ofthe central database, the drug consumer will be motivated to ensuretheir wearable device picks up this signal or they will not be able toget their next dose of drugs. In one embodiment once the signal isreceived the wearable device relays a message to the dispensing devicethat relays it onto the central database. In another embodiment thewearable device relays it through a cell phone or similar device to thecentral database with the drug consumer identification and thedispensing device’s identification. In another embodiment the wearabledevice sends the information directly to the central database with thedrug dispenser’s identification and the dispensing device’sidentification. Then the central database authorizes the next dose ofmedication when the time elapses for such mediation within thedispensing device. Since the success or failure of taking a given drugis relayed to the central database, all authorized persons ororganizations that are monitoring a given drug consumer will be madeaware of their progress. This closed-loop method allows for even greatermonitoring of drug consumption and drug abuse.

In another biomedical embodiment, the provisioning and deploymentinvolves camera or sensor devices, and can involve photo or video data.In some embodiments the dispensing device has a built-in camera feature.In this embodiment a very small camera, similar to those used in asmartphone or in some embodiments even smaller are present within thephysical housing the dispensing device. In other embodiments an externalcamera, like one on a smartphone, may be used to satisfy the biomedicalrequirements of the system.

In those embodiments where the drug watchdog is running on a device witha camera, for example a smartphone, it is possible for the drug watchdogto use this camera to satisfy the biomedical requirements of the system.

In these embodiments, the camera can be used to take a photograph orvideo of the drug consumer at different stages of the process. In oneembodiment the drug dispenser is told that a photograph or video isrequired of the drug consumer as part of the provisioning process. Inone embodiment this is used to augment the biometric input method at thefinal stage of provisioning. Once provisioning is complete and the drugconsumer takes the deployed dispensing device home, they might have totake a picture of themselves with the drug in their mouth each time theyeject a dose of drugs for consumption. The photographs can be comparedto a stored image (e.g. photo captured and stored at the provisioningstage) to ensure the correct patient took the photograph and that thedrug has been placed into the drug consumer’s mouth. In anotherembodiment, the original picture at provisioning is not required butonly a picture each time a dose of drug is extracted from the dispensingdevice for consumption. These types of choices can be made when thedosage rule file is constructed to help guide the drug dispenser’sactions when performing the final steps of provisioning.

In another embodiment, the camera is external to the dispensing devicelike a digital camera, a smartphone, a tablet, a laptop of some otherexternal device. In one of these embodiments, once the external devicetakes the photo or video they could be uploaded to the dispensing devicevia Bluetooth, USB, NFC or some other communications means. In anotherembodiment, once the external device takes the photo or video it mightbe uploaded directly to the central database. The photo or video can betimestamped and identified by the patient identification and thedispensing device’s identification. The goal of these embodiments is toacquire one or more photographs or videos in order to ensure that theactual drug consumer interacting with the dispensing device is ingestingtheir medication. The photograph also provides a historical record thatthe correct drug consumer is taking the drugs correctly. Thephotographic or video content can be uploaded to the central database,and a review can be performed by a recognition system or an authorizedhealth care worker, drug prescribers drug dispensers or other authorizedpersons at any time during the drug consumption period.

In yet another embodiment, urinalysis information can be collected andused to determine whether the patient is taking their medication.Analyzing urine can provide different key indicators on a patient. Insome embodiments, an external device is used and the results can berelayed through the dispensing device. The use of portable urinalysisdevices with Bluetooth support is an example embodiment of an externaldevice. In an embodiment the dispensing device can receive and analyzethe urine sample directly. In other embodiments the external urinalysisdevice can talk directly with the central database. In this embodimentthe urinalysis results are included with the patient identification andif necessary the dispensing device identification to ensure the centraldatabase logs the information with the correct patient.

As with other biomedical input, there are several embodiments forhandling urinalysis results. In one embodiment before the dispensingdevice could be deployed by the drug dispenser to the drug consumer,they would provide a urinalysis result. This final step beforedeployment would be added to the provisioning of the biometric input.This would establish a baseline result for further urinalysis outputs tocompare against to help the health care professional determine theeffect of the medication on the patient. In other embodiments a baselinemight not be required and perhaps only occasional urinalysis results arerequired by the drug consumer. In these embodiments the dosage rule filemight indicate that the drug consumer must provide a urine sample justonce a week to ensure the effects of the drugs being consumed are notharming the patient. In another embodiment a urine test strip is usedand photographed by the drug consumer after consumer drugs. Thisphotograph might then be uploaded to the central database eitherdirectly or through the dispensing device.

In other embodiments the biomedical input could be related to a bloodanalysis, to a heart monitor analysis, EKG, EEG, saliva analysis, abreath analysis or some other biomedical test directly involving thedrug consumer. In all these tests a baseline can be taken from drugconsumer and relayed to the central database. In some embodiments anexternal device is used and the information is relayed to the dispensingdevice using USB, Bluetooth, WiFi, NFC or some communication method. Inanother embodiment the external device can communicate directly with thecentral database and provide the patient identification and if necessarythe dispensing device identification. In yet other embodiments, thedispensing device is customized with internal hardware and software toanalyze blood samples, receive heart monitor results, receive breathanalysis results and other results and pass them to the central databasedirectly.

To reinforce the central database’s authority and control over thedispensing device, it alone can send the Start Deployment and StopDeployment command to the dispensing device. It can perform theseactions only after receiving the Provisioned Stage Reached message fromthe dispensing device. In other embodiments there could be protectionfor the drug consumer should a biometric input problem take place. If adrug consumer become panicked about their drugs, they might be able tocall a professional who can immediate force a dose of medication fromthe central database to the drug watchdog.

Turning now to FIG. 1 there is an illustration 100 of a network overviewshowing drug prescribers 104 and drug dispensers 112. The drugprescriber 104 is a licensed professional who can write prescriptionsfor drug consumers 106. They might be working in many possible locations102, like doctor’s offices, hospitals, clinics, emergency departments orsimilar health care locations. These professionals 104 could be a nursepractitioner, a dentist, a pharmacist, a physician or any other personwho is authorized to issue prescriptions. In some embodiments,especially in environments like a dentist’s office, paper prescriptionsare often used 108.

In other embodiments prescriptions are written out on computers 140either within the drug prescriptions office using a ElectronicManagement System (EMS) or externally on another remote system. In someembodiments, a central database 124 used, which has a series ofprocessors 130 providing an interface 132 to one more datum storagesolutions 134. Such hosted systems can offer many features includingaccessing from any location, storage backup and recovery of data toavoid catastrophic loss.

In other embodiments, the drug prescriber 104 might use an e-PrescribingAuthority to create and store prescriptions for drug consumers 106. Inthis embodiment these prescriptions may or may not be handed to the drugconsumer 106 to hand-carry to a drug dispenser 112. The computer 140,114 could be a desktop computer, a laptop computer, a tablet computer, asmartphone or any computer system capable of allowing input ofprescription information through a specialized application or through aweb browser. In some embodiments the computer 140, 114 opens aconnection over a data communication pathway 120 over one or morenetworks 122, 144 to specialized health care focused computers 124, 138and in some embodiments to government agencies to deal and track allprescriptions that are created. In Canada for example the PrescribelT™system 138 has been established to improve the safety and trackabilityof prescriptions.

Following different embodiments the traditional prescription informationwill be included into a larger set of data called the dosage rule file136. Since each step of a prescription’s creation and fulfillment carryessential information this information will form parts of the dosagerule file 136. The system allows the drug prescriber 104 to participatein the computerization and increase safety created by using the centraldatabase 124, 138. In those embodiments where the drug prescriber 104uses a computer 140 to build their prescription it will be placed alongside a larger set of usage and dosage information for the drug consumer106. In some embodiments the computer 140 connects to a regional ornational e-prescribing service 138 like PrescribelT™ in Canada. Whenboth the drug prescriber 104 and drug dispenser 112 use a commone-prescription service 138 the overall prescription system is consideredsafer. In these embodiments the central database 124 can communicate 150with the e-prescribing service 138 to acquire prescription informationfor a drug consumer 106. For example, Canada’s PrescribelT™ systemoffers a REST (Representational State Transfer) API for the sole purposeof allowing EMS and Pharmacy Management Software (PMS) integrationoptions to the national prescription registry.

In this application prescriptions are filled by drug dispensers 112.These same individuals are also involved with the provisioning of thedispensing device 126, 128, 142. Drug dispensers 112 are tasked with theresponsibility of completing the dosage rule file 136 related to thedrugs 116 they are dispensing. Drug dispensers 112 could be doctors,pharmacists, dentists, emergency medical technicians (EMT), home careaides, midwives, nurses or any other individuals who are authorized tofill prescriptions. Their intention is to ensure that drug prescriptionsare followed precisely, for the safety by the drug consumers 106. Thecentral database 124 can also be referred to as the central server 124(with hardware processor and non-transitory memory).

Embodiments described herein relate to a computer implemented method ofsecuring and tracking a dispensing device 126, 128, 142 and a dosagerule file 136 using a central server 124 and a drug watchdog programrunning on the dispensing device 126, 128, 142. The method can involveat a central server having a hardware processor with an interface 132and a non-transitory memory storing the database 124, authorizing alogin using the hardware processor to match credentials of the useragainst the database 124 of records for authorized users stored in thenon-transitory memory and receiving dispensing device identification forthe dispensing device 126, 128, 142 for storage in the non-transitorymemory. The method can involve generating a dosage rule file 136 byreceiving input data at the interface 132 from the authorized user andencoding at least drug consumption information, identification of thedrug consumer, and additional authorized users into machine readableinstructions for a drug watchdog program. The dosage rule file 136 canencode operating parameters for the dispensing devices 126, 128, 142(and related dispensing equipment). The method can involve identifying adestination dispensing device 126, 128, 142 to receive the dosage rulefile 136 using the hardware processor to access the dispensing deviceidentification in the non-transitory memory. The method can involveestablishing a secure communication link to encrypt messages exchangedwith the dispensing device 126, 128, 142 with encryption keys to confirmthe identification information of the dispensing device 126, 128, 142.The method can involve transmitting, using the secure link, the dosagerule file 136 to the destination dispensing device 126, 128, 142. Thedestination dispensing device 126, 128, 142 can have a hardwareprocessor and a non-transitory memory storing the drug watchdog programand the dosage rule file 136. The destination dispensing device 126,128, 142 can execute the dosage rule file 136 and the drug watchdogprogram using the hardware processor to access the non-transitorymemory, and upon execution, the drug watchdog program continuouslyrunning on the destination dispensing device The destination dispensingdevice 126, 128, 142 can and reading the dosage rule file to: open acompartment of dispensing equipment to receive drugs matching the drugconsumption information in the dosage rule file 136. The destinationdispensing device 126, 128, 142 can detect closure of the compartmentand drug provisioning of the dispensing device; upon authorizingbio-identity input, send a provisioned stage reached message to thecentral server 124 to program the processor to a provisioned stage. Thedestination dispensing device 126, 128, 142 can receive a begindeployment command from the central database to program the processor toa deployment stage of the dispensing device 126, 128, 142; activatetimers upon deployment on the dispensing device 126, 128, 142 to controlrelease of the drugs contained in the compartment for the drug consumer;and encrypt messages using the encryption keys; and send the encrypteddrug consumption messages for decryption by all authorized users to thecentral server 124 upon expiration of at least one of the timers.

In some embodiments, the method involves at the central server,providing the interface 132 to receive the input from the authorizeduser to generate the completed dosage rule file 136. In someembodiments, the method involves detecting a connection from a selecteddispensing device 126, 128, 142 to a user’s computer system; providing,to the authorized drug dispenser, the interface 132 on the centralserver in order to generate the completed dosage rule file 136. Upondetecting the finishing of the completed dosage rule file 136, using theselected dispensing device’s identification received from the dispensingdevice 126, 128, 142 through its connection to the user’s computer, toestablish the secure channel to encrypt all messages exchanged betweenthe dispensing device 126, 128, 142 and the central server 124 ordatabase 124, and transmitting the completed dosage rule file 136 toenable the provisioning of the dispensing device 126, 128, 142.

In some embodiments, the method involves at the destination dispensingdevice 126, 128, 142 running the drug watchdog program, establishing asecure data communication path with the central server 124 by using thedispensing device’s identification to select encryption keys; andreceiving an indication from the central server over the secure datacommunication path that the dosage rule file is ready for transmissionto the destination dispensing device, the completed dosage rule fileencrypted using encryption keys linked to the dispensing deviceidentification.

In some embodiments, the method involves, at the destination dispensingdevice 126, 128, 142, establishing a secure communication link betweenthe compartment and the hardware processor for data exchange, openingthe compartment by sending control messages to the compartment over thesecure communication link. The compartment of the dispensing device canbe separate from the hardware processor of the dispensing device.

In some embodiments, the method involves identifying the destinationdispensing device 126, 128, 142 as having dispensing equipment separatefrom the hardware processor of the dispensing device 126, 128, 142running the drug watchdog program. The dispensing equipment having thecompartment, and encoding an identifier for the drug dispensingequipment in the dosage rule file.

In some embodiments, the opening of the compartment requires aconfirming status message from the central server 124 to instruct thedrug watchdog to perform an unlock procedure.

In some embodiments, the method involves, at the central server 124,allowing multiple dispensing devices 126, 128, 142 to be in aprovisioned stage, and sending a begin deployment command to only onedispensing device 126, 128, 142 assigned to the same drug consumer at atime.

In some embodiments, the method involves, at the central server 124,detecting that a deployed dispensing device 126, 128, 142 has run out ofdrugs and sending a begin deployment command to the next provisioneddispensing device 126, 128, 142 for the same drug consumer.

Embodiments described herein relate to a computer implemented method ofsecuring and tracking a dispensing device 126, 128, 142 and a dosagerule file 136 by an authorized drug dispenser using one or more centralservers 124 for managing dispensing devices and a drug watchdog programrunning on the dispensing device 126, 128, 142. The method involves: ata hardware processor coupled to a non-transitory memory storing aprescription database of authorized users, authorizing a login using thehardware processor matching the credentials of the user against theprescription database of authorized users stored in the non-transitorymemory to create an authorized drug dispenser. The method can involvesearching by the authorized drug dispenser for prescription informationusing the hardware processor to access the prescription database storedin the non-transitory memory, the authorized drug dispenser linked to adrug consumer’s identity; creating a dosage rule file encoding theprescription information, the drug consumer’s identity, drug consumptioninformation and additional authorized users for the dispensing deviceinto machine readable instructions for the drug watchdog program thatcan be downloaded to the dispensing device 126, 128, 142. The method caninvolve establishing a secure data communication path with the centralserver 124 used for managing dispensing devices, by using the hardwareprocessor to determine identification of the dispensing device to selectencryption keys; encrypting the dosage rule file using encryption keyslinked to the dispensing device identification. The method can involveexchanging with the central server 124 over the secure communicationpath the dosage rule file. The dispensing device 126, 128, 142 having ahardware processor and a non-transitory memory can store the drugwatchdog program and the dosage rule file, and execute the dosage rulefile 136 and the drug watchdog program using the hardware processor toaccess the non-transitory memory. Upon execution, the drug watchdogprogram continuously running on the dispensing device 126, 128, 142 andreading the dosage rule file 136 to: open a compartment of dispensingequipment to allow drugs to be inserted matching the drug consumptioninformation in the dosage rule file 136. The dispensing device 126, 128,142 can detect closure of the compartment and drug provisioning of thedispensing device. Upon authorizing bio-identity input from the drugconsumer, the dispensing device 126, 128, 142 can send a confirmationmessage to the central server 124 to enter a provisioned stage. Thedispensing device 126, 128, 142 can receive a begin deployment commandfrom the central server that commences the deployment stage, andactivate timers upon deployment on the dispensing device to allow thecontrolled release of the drugs contained in the compartment. Thedispensing device 126, 128, 142 can send drug consumption messages andalert messages for decryption by all authorized users, using theselected encryption keys to the central database 124 when the timerexpires.

In some embodiments, creating the dosage rule file 136 involves movingthe prescription information from the prescription database to thecentral server 124 that is used for managing dispensing devices. In someembodiments, opening of the compartment requires a confirming statusmessage from the central server informing the drug watchdog to performan unlock procedure. In some embodiments, the expiration of theactivated drug dose timers to allow the release of a drug dose, alsoincludes one or more indications including modifying the display of LEDlights, displaying a message on a screen, the playing of auditory soundsand the sending one or more message to the drug consumer using aconfigured communication method.

In some embodiments, an alert message transmitted from the dispensingdevice 126, 128, 142 to the central server 124 is relayed from thecentral server to the drug consumer using one or more configuredcommunication methods.

In some embodiments, an alert message within the dispensing device 126,128, 142 is sent directly to the drug consumer’s computer device usingone or more configured communication methods.

In some embodiments, the decryption of messages by all authorized usersfurther includes the ability for one of the authorized users to modifythe dosage rule file.

In some embodiments, the method involves, at the destination dispensingdevice 126, 128, 142, establishing a secure communication link betweenthe compartment and the hardware processor for data exchange, openingthe compartment by sending control messages to the compartment of thedispensing device over the secure communication link. The compartment ofthe dispensing device 126, 128, 142 is separate from the hardwareprocessor of the dispensing device 126, 128, 142.

In some embodiments, the method involves identifying the destinationdispensing device 126, 128, 142 as having drug dispensing equipmentseparate from the hardware processor of the dispensing device runningthe drug watchdog program, the drug dispensing equipment comprising thecompartment, and encoding an identifier for the drug dispensingequipment in the dosage rule file.

Embodiments described herein relate to a computer system for securingand tracking a dispensing device 126, 128, 142 and a dosage rule file136. The system can involve a central server 124 having a hardwareprocessor with an interface and a non-transitory memory storing adatabase, the interface 132 to generate and provide a completed dosagerule file encoding at least a drug consumer’s identity, drug consumptioninformation and authorized users for a dispensing device into machinereadable instructions for the drug watchdog program, the completeddosage rule file encrypted using encryption keys linked to thedispensing device identification. The system has a dispensing device126, 128, 142 having a hardware processor and a non-transitory memorystoring drug watchdog program running on the dispensing device 126, 128,142, the hardware processor executing the drug watchdog program. Uponexecution, the drug watchdog program continuously running on thedestination dispensing device to: establish a secure data communicationpath with the central server 124 by using the dispensing device’sidentification to create an encrypted channel; verify that at least oneauthorized user is in possession of the identified dispensing device126, 128, 142 by changing the state of the dispensing device 126, 128,142 and requiring the authorized user to verify that state; receive anindication from the central server 124 within the received statusmessage over the secure communication path that the completed dosagerule file is ready for download after the authorized user is verified.The dispensing device 126, 128, 142 exchanges the completed dosage rulefile with the central server 124 to enable the provisioning of thedispensing device. The hardware processor executes the completed dosagerule file and upon execution, the drug watchdog program reading thedosage rule file to: open a compartment of dispensing equipment to allowdrugs to be inserted matching the drug consumption information in thedosage rule file; detect closure of the compartment and drugprovisioning of the dispensing device. Upon authorizing a biometricinput from a drug consumer, the dispensing device 126, 128, 142 sends aconfirmation message to the central server 124 to enter a provisionedstage of the dispensing device dispensing device 126, 128, 142 andreceive a begin deployment command from the central server 124 thatcommences the deployment stage of the dispensing device. dispensingdevice 126, 128, 142. The dispensing device 126, 128, 142 activatestimers upon deployment on the dispensing device 126, 128, 142 to allowthe controlled release of the drugs contained in the compartment. Thedispensing device 126, 128, 142 can send drug consumption messages forviewing by all authorized users, using the selected encryption keys tothe central server when the timer expires.

In some embodiments, the destination dispensing device 126, 128, 142establishes a secure communication link between the dispensing equipmentand the hardware processor for data exchange to open the compartment bysending control messages. The dispensing equipment can be separate fromthe hardware processor running the watch dog program.

The drugs 116 within the dispensing device 126, 128, 142 could be in aphysical form, a liquid form, a vapour form or some combination, forexample a liquid that is expelled as a vapour. There are many electronicinsulin pump devices 128 that allow a separately worn arm band to feedreal-time information to the pump device 128 for patient dosing. Such adevice can be guided by a dosage rule file that is managed by a drugwatchdog. Similarly, digital electronic inhaling devices 126 exist thatcan benefit from a managed dosage rule file that sets limits on how mucha patient can use the inhaler 126 and the medication it contains.Further devices could include IV machines, electronically controlledPeripherally Inserted Central Catheter (PICC) type devices and otheradvanced medical dispensing devices.

Various forms of dosage rule files 136 are downloaded to match the typeof dispensing devices 126, 128, 142 being used with the drug consumer106. Amounts, quantities and measures are designed by the system tomatch specific methods used to measure and insert the drugs 116 into thedispensing devices 126, 128, 142.

In those embodiments where the drug watchdog program is running onanother computer system, the drug dispenser 112 might first verify thedrug consumer 106 has the necessary drug dispensing application on thatcomputer system. The drug dispenser 112 might had the drug consumer 112a wearable lanyard, or a drug dispensing wand or even verify a drugdispensing App is loaded on their smartphone. In these embodiments thecentral database 124 is given the contact information for communicatingwith the drug watchdog. The drug watchdog must then validate that it isin communication with the correct drug dispensing equipment 126, 128,142.

As mentioned, there are times that prescriptions can be filled bydoctors within their offices, especially in very small communities orwhen free samples are available. Depending on the environment andcountry many other names could be used for these individuals. Drugdispensers 112 might be located in many possible locations 110. Theycould be in a hospital, in a pharmacy, at a person’s home, in anemergency department, in a doctor’s office or anywhere where drugs 116are kept for physical distribution.

There are several embodiments for drug prescribers 104, drug dispensers112 and dispensing devices to communicate to the one or more networks122, 144. In some embodiments the drug prescriber 104, drug dispenser112 and dispensing device 126, 128, 142 are connected 120 to a network122, 144 that is capable of reaching the same central database 124, 138.In other embodiments, it is possible the drug dispenser 112 mustcommunicate to both an e-Prescribing Authority 138 first and then finishthe provisioning and deployment of the dispensing device 126, 128, 142on the central database 124.

They might be on the same network 122, or on different networks likeNetwork A 122, and Network B 144 that can reach the same computer system124, 138. In some embodiments a wireless network, like Network B 144goes through a public network Network A 122, like the Internet to reachthe central database 124 or e-Prescribing Authority 138. In otherembodiments the computer 130 running the central database 124 might havemultiple connections 120 to different networks 122, 144. In someembodiments the network 122 is a publicly available network like theInternet. In other embodiments it could be a closed private networkwithin a hospital. The common central database 124 is used to manage thedispensing devices 126, 128, 142, control dosage rule files 136 andcollect all tracking information when deployed. Drug prescriber 104 anddrug dispenser 112 have different choices as to how they participatewith the central database 134 in the creation of the dosage rule file136 and the viewing of tracking information provided by the dispensingdevice 142.

To facilitate the involvement of the drug prescriber 104 and drugdispenser 112 a user-friendly interface 132 is provided to the centraldatabase 134 for inputting the drug consumers’ 106 prescription and forlocating a drug consumers’ 106 prescription. In some embodiments drugprescribers use Electronic Medical Record (EMR) software to managepatients and build prescriptions. Many of these EMR software systems arecapable work working with external e-prescription services. Similarly,in some embodiments drug dispensers use a Pharmacy Management Software(PMS) product to manage their business. Many of these EMS systems arecapable of working with external e-prescription services. These userfriendly, business software solutions are built for extensibility andhave application program interfaces (APIs) to enable extension tosupport a solution like a drug tracking dispensing device described inthis patent.

Connections from client computer systems 112, 126, 128, 140, 142 to theserving computer system 124, 138 can use many different wired andwireless networks and network protocols. Above the physical connectionsto wired 122 and wireless networks 144 many embodiments use standardInternet protocols, like a transport control protocol and Internetprotocol (TCP/IP), hyper-text transfer protocol (HTTP) and secure HTTPto facilitate the communication necessary to work with the centraldatabase 124 and e-Prescribing Authority 138..

To provide a user interface (UI) for the drug prescriber 104 and drugdispenser 112, 112, 140 might use an Internet capable browser tofacilitate the interface into the central server’s database system 132.The UI can be used to create and modify parameters of the dosage rulefile. The central database 124 might be a cloud-computer offering whichfacilitates access to a data storage area 134 available in a widegeographic region. In this embodiment a secure communication protocollike secure socket layer (SSL) would be used to create a secure link tothe central database storage 134. Such storage is where the dosage rulefile 136 is created and exchanged with the dispensing device 126, 128,142.

In other embodiments custom protocols and programs are used to create asecure communication path to the central database 124. Communicationsmethods for the dispensing devices 126, 128, 142 could also involve bothwired and wireless connections. In some embodiments the dispensingdevice 126, 128, 142 may also support local connections 146 to the drugdispenser’s computer 114. Connections 146 like universal serial bus(USB), and short-range Bluetooth, could allow for a secure connectionsafely within the drug dispenser’s facility 110. As mentioned in otherembodiments the connections from client computer systems 112, 126, 128,140, 142 might go to an e-prescribing cloud server 138. Interconnections150 from this e-prescribing system 138 to the central database 124 wouldbe accomplished through computer-to-computer communications 150 usingmessage exchanges following formats like JSON over HTTP or HTTPS.

The different embodiments for creating the dosage rule file 136 andworking with the dispensing device 126, 128, 142 are highlighted inFIGS. 2 and 3 . The focus is creation of the dosage rule file 136 andthe different ways the drug prescriber 108 and drug dispenser 112 canparticipate.

When a drug consumer 106 visits a drug prescriber 104 in their facility102, the drug prescriber 104 has two choices. In one embodiment they arewilling and able to use the central database 124 or an e-prescribingservice 138. In another embodiment they are not initial able to use thecentral database 124 or e-prescribing service 138.

In those embodiments where the drug prescriber 108 can login into thecentral database 124 or e-prescribing service 138 they are authorizedinitially through licensing boards and professional bodies and arematched to licensed practitioners through name, identification,association certificates, addresses and/or other specified informationwhen they create their login and password profiles. Once connected andthrough the authorization stage, the drug prescriber 104 is then able tostart the process of creating a dosage rule file 136 for a drug consumer106.

The drug consumer’s 106 identification is also required with the dosagerule file 136 to ensure accurate accessing of the correct dosage rulefile 136 by the drug dispenser 112. Once the dosage rule file 136 isentered into the central database 124 the drug consumer 106 can go to alicensed drug dispenser 112 to have their dosage rule file 136 loadedinto a dispensing device 126, 128, 142. The drug dispenser 112 must usetheir computer 114 to access the central database 124 in order to locatethe drug consumer’s 106 dosage rule file 136 as entered by the drugprescriber 104. In some embodiments the drug dispenser 112 must firstlocate the prescription information on the e-Prescribing Authority 138and request it through the central database 124 over the securecommunications link 150.

Once the drug consumer 106 identifies themselves, the drug dispenser 112can proceed to load the dosage rule file 136 into a specializeddispensing device. Once the dosage rule file 136 is loaded thedispensing device 126, 128, 142 will open. Once the drugs 116 are loadedand the dispensing device 126, 128, 142 is closed the dispensing device126, 128, 142 enters the final stage of provisioning. With thedispensing device 126, 128, 142 selected and the drug 116 loaded, thedrug consumer 106 provides a bio-identity and biomedical information tothe dispensing device 126, 128, 142 so the dispensing device 126, 128,142 can enter the provisioned stage.

Once in the full provisioned stage the central database 124 decides whento issue the begin deployment command. Once in deployment, the drugconsumer 106 can receive their daily drugs 116 by proving theirbiometric before being allowed to remove the drugs 116. In someembodiments the biometric that has already been taken by the drugprescriber 104 may be used along with biomedical data for the dispensingprocess. This dispensing device is the focus of FIG. 4 which follows.

In some embodiments the drug consumer 106 is only allowed to possess onedispensing device 126, 128, 142 and the central database 124 will blockthe provisioning process if multiple dispensing devices 126, 128, 142attempt to provision the same drug consumer 106 with the exact same drug116. In other embodiments the central database 124 allows multipledispensing devices 126, 128, 142 to be given to the same drug consumer106 with the exact same drug 116. In this case the goal is to providethe drug consumer 106 a continuous supply of drugs 116 so they do notaccidently run out which could cause a life and death situation in somecases. In this embodiment the central database 124 knows precisely whenthe last dose is extracted from a given dispensing device 126, 128, 142,and will issue the begin deploy command to a second dispensing device126, 128, 142 when additional drugs 116 are needed. This is referred toas the hot-swap method of continuous drug 116 supply.

In some embodiments the drug prescriber 104 is not able to use thecentral database 124 to help initially build the dosage rule file 136.In these embodiments an alternative prescription method is used with thedrug consumer 106. In some embodiments this will result in the drugconsumer 106 hand-carrying a copy of the prescription to the drugdispenser 112. However, it is possible for the drug dispenser 112 togrant access to the drug prescriber 104 after they have completed theprovisioning and deployment steps for the drug consumer 106 and adispensing device 126, 128, 142. This secure access to the centraldatabase 124 will allow the drug prescriber 104 to review the dosagerule file 136 and tracking message for the drug prescriber 104 once thedispensing device 126, 128, 142 is provisioned and deployed in thefield. These embodiments are further explored in FIGS. 2 and 3 .

Turning to FIG. 2 there is an embodiment of a network overview 200showing the use of a dispensing device 208, 236, 238, in a wirelessnetwork 222. In many embodiments the process starts as the drug consumer212 enters a drug dispensing location 202 holding their prescription 232in hand. In other embodiments the drug consumer 212 might be helped by ahealth-care professional 204, one of their children 204 or a spouse 204to prepare and load the dispensing device 208, 236, 238.

The dispensing location 202 is capable of working with a dispensingdevice 208, 236, 238 that is needed to hold the prescription drugs beingrequested by the drug consumer 212. In some embodiments, these arehigh-risk drugs that are considered very addictive. In some embodimentthey have restrictions placed on their use by governments, insurancecompanies or drug manufacturers.

In some embodiments the dispensing activity can take place in the samelocation where the drug prescriber first created the prescription 232.The drug consumer 212 interacts with the drug dispenser 204 in order toacquire the prescribed drugs within a dispensing device 208, 236, 238.In these embodiments the drug consumer 232 is carrying a formalprescription in their hand, making it clear to the drug dispenser 204that it has not been created by the central database 216 and that adosage rule file 230 does not yet exist. In these embodiments the drugprescriber has not worked with a compatible e-prescribing system thatrequires the drug dispenser 204 to complete, as described in FIG. 1 . Inthis illustration the drug dispenser 204 is working alone to helpsupport, protect and ensure better patient 212 outcomes. They can, inthe process of creating the dosage rule file 230, add additional healthcare workers and support staff, including doctors, pharmacists, nurses,on-call assistance and others to help track progress and review feedbackmessages from the dispensing device 208, 236, 238.

There are several embodiments where a non-licensed person 204 canassists the drug consumer 212 to make use of the dispensing device 208.This person 204 is acting as a proxy for the drug dispenser, in somecases picking up the drugs on behalf of the drug consumer 212 andinserts them into the dispensing device 208, 236, 238. They might havepower of attorney (POA), they might have POA for personal care or mightbe a spouse or loved one with a desire to improve the drug consumer’s212 drug consumption outcome.

In this embodiment the owner 204 of the dispensing device 208 can logininto the dispensing device 208 and create a dosage rule file 230 bydirectly communicating 210 to the dispensing device 208, 236, 238. Thesteps of creating the dosage rule file 230 are always required in orderto provision and deploy the dispensing device 208, 236, 238 and insertthe necessary drugs. This could take place in an old age home, ahospital, a patient’s 212 home or any location where a computer 206 isavailable.

In this embodiment the drug consumer 212 is carrying a formalprescription 232, so the drug dispenser 204 has several options to fillthe prescription 232. In this embodiment the drug dispenser 204 simplyconnects 210 a dispensing device 208, 236, 238 to their computer 206 andbegins to work directly on creating a dosage rule file 230. The processof connecting an operational and supported dispensing device 208, 236,238 to their computer 206 creates the beginning of an authenticatedrelationship to the dispensing device 208, 236, 238. As mentioned, thisconnection could be over USB, Bluetooth, near field communications (NFC)or some other close-proximity method. The drug dispensing 204 might alsouse a laptop, tablet or cell phone computer to interface to thedispensing device 208, 236, 238. The goal is to ensure the dispensingdevice 208, 236, 238 has an authenticated connection 210 to a drugdispenser’s 204 computer 206 and no other computer 206 in the vicinity.In some embodiments once connected 210 the drug dispenser 204 might usean Internet browser and an HTTP visual interface to prepare the dosagerule file 230 or in other embodiments they might use a custom programdesign specifically to work only with these custom build dispensingdevices 208, 236, 238.

Before the drug dispenser 204 can start building the dosage rule file230 and filling the drug dispenser 204 with drugs, they must create alogin process. Creating or validating an existing login represents thesecond step in the authentication stage. This step will ensure that onlythey can access this dispensing device 208 in future. Creating a newlogin and password combination can only take place on a dispensingdevice 208, 236, 238 that has never been used before or that is emptyand in an idle, unused state. It is possible that when a givendispensing device 208, 236, 238 has completed its dosing requirementsfor one drug consumer 212, it could be de-provisioned and given toanother drug consumer 212. It could be rented, sold or exchanged betweendifferent drug dispensers 204 as needed when it has been de-provisioned.

At no time should other individual be allowed to gain access to thedispensing device 208, 236, 238 to adjust the drug dosage or change anypart of the dosage rule file 230. There are several embodiments for thelogin procedure when gaining access to a dispensing device 208, 236,238. If the dispensing device 208, 236, 238 has been used before andstill contains some number of unused drugs, the drug dispenser 204 willhave to use the previous login process already established. If thedispensing device 208, 236, 238 is empty or has never been used beforethe drug dispenser 204 can just from the beginning to create a new loginprocess. In one embodiment the login process is both a login name and apassword. In another embodiment the login process is simply a passwordor access code for the dispensing device 208, 236, 238.

Once the login process is created the drug dispenser 204 can commencethe provisioning of the drug dispenser 208 by building a dosage rulefile 230.. The dosage rule file 230 includes details from theprescription 232 information and required information about the drugconsumer 212. For example, information components could be a drugconsumers 212 identification, health card identification, biomedicalrequirements, photographic evidence of the drug consumer 212 andoperating details for the dispensing device 208, 236, 238.

Once this information is collected, it can be entered through theinterface provided by the drug watchdog running on the dispensing device208, 236, 238 to build the dosage rule file 230. An example of thecontents of the dosage rule file have been shown earlier in thisapplication. In this embodiment the addition of the passwords for thedrug prescriber, drug dispenser and other health support workers arevery important as they get delivered and used by the central database216 later. Then at a later date when the dispensing device 208, 236, 238has been provisioned and deployed any of these people will be able tolog into the central database 216 and review how the drug consumer 212is doing with their drug consumption.

In some embodiments the login and password might provide differentlevels of access and visibility to the dosage rule file 230. Forexample, the drug prescriber will be able to change the dosage values inthe dosage rule file 230 and request it be uploaded back into thedispensing device 208, 236, 238. The drug dispenser 204 will only beable to change the number of pills added to the dispensing device 208,236, 238 before it is uploaded back into the dispensing device 208, 236,238. There are cases where the drug consumer 212 has reached the veryend of their prescription and only a portion of drugs remain in theirprescription 232. Finally, the other health support workers might onlybe able to see the tracking information provided by the dispensingdevice 208 after it is provisioned and deployed in the field.

Once the dosage rule file 230 is complete and uploaded to the centraldatabase 216, they are reviewed within the data storage area 220 via auser interface (UI) 218, or using advanced computer logic to comparepatients, drugs and dispensing devices 208, 236, 238. Checks can be madeto allow for different drug dispensing strategies and restrictions. Forexample. In one embodiment the central database 216 has logic to ensurea drug consumer 212 does not already have a dispensing device 208, 236,238 assigned to them and dispensing the same drug already. In anotherembodiment the drug consumer 212 would be allowed to have multipledispensing devices 208, 236, 238 and only one has been placed intodeployed mode by the central database 216. This hot-swap method could beused to ensure a continuous supply of medication is already on hand forvery high-risk drug consumers 212.

When the dispensing device 208, 236, 238 is first turned on andconnected 210 to a local computer it establishes a link 242 to thecentral database 216 over a wireless network 222. Base station 226support and coverage allow for a mobile and portable dispensing device208, 236, 238 to allow the drug consumer 212 to travel and move aroundwith their drugs.

The central database 216 performs a check on the dispensing device’s208, 236, 238 state to ensure it is known and available for use. It thensends the final all clear to proceed message, the dispensing device 208,236, 238 will then proceed with login, authorization and the first stepof provisioning, which is to create the dosage rule file 230. After thedosage rule file 230 is complete the dispensing device 208, 236, 238 canbe opened.

Once the dispensing device 208 is opened, the next part of theprovisioning process takes place when the drugs are finally loaded andthe dispensing device 208, 236, 238 is closed. With the drug loaded andthe dispensing device 208, 236, 238 closed, the final step inprovisioning involving the collection and validation of thebio-identity.

Provisioning of the bio-identity requires the drug consumer 212 toprovide a bio-identity to the dispensing device 208, 236, 238 to receivetheir regular dosage of drugs. The bio-identity will include a biometricto access the dispensing device 208, 236, 238 for every dose and mightalso include biomedical data. As discussed, biomedical data might berequired to allows the drug consumer 212 to receive their next dose oftheir drugs, or in other embodiments it might be needed periodically. Insome embodiments the biometric could be a fingerprint, retina scan,heart rhythm or some other unique property that is inherent to the drugconsumer 212. In other embodiments the drug consumer 212 could have asub-dermal implant that provides a unique identification held only bythat person 212. Many other embodiments are possible including facialrecognition, vein scan and other bio-centric techniques. With such aclose relationship between the dispensing device 208, 236, 238 and thedrug consumer 212 changing to a different dispensing device 208, 236,238 does require some steps.

In some embodiments the dispensing device 208 has malfunctioned and justneeds to be swapped for a new one. The drug consumer 212 would have tore-visit the drug dispenser 204 to facilitate this. In other embodimentsthe drug consumer 212 needs a completely different drug and must visitthe drug prescriber to make that change. This would then have to befollowed by a trip back to the drug dispenser 204 to remove the drugsfrom their current dispensing device 208, 236, 238 and insert new drugsinto the same dispensing device 208, 236, 238 or in some embodimentsinto a new dispensing device 208, 236, 238. The central database 216keeps track of all drugs held within the changed dispensing device 208,236, 238 and the drug dispenser 204 will be told they must return allremoved drugs, especially high-risk drugs back to the manufacturer to bedestroyed.

Once deployment has taken place, the dispensing device 208, 236, 238uses its connection 234 to the wireless network 222 to send securemessages 242 to the central database 216. Each of the encrypted messagessent will provide the identity of the dispensing device 208, 236, 238.Since the dosage rule file 230 was already sent during the provisioningstage, the central database 216 has used some of the contents to buildauthorization login and passwords for drug prescribers, drug dispensers204 and other health care professions. These added authorized accesseswill allow these individuals to look at data for this drug consumer 212on this specific dispensing device 208, 236, 238 on the central database216 through the interface 218 provided by the central database 216.These messages will be encrypted using several possible embodiments forcreating encryption keys and encrypting messages. The drug watchdog onthe dispensing device 208, 236, 238 also encrypts any stored data inmemory so that no tampering, copying, modification or malicious damagecan take place unnoticed. The drug watchdog software monitors activitieson the dosage rule file stored on the dispensing device. Modification ordamage to any of the files will result in re-requesting the data fromthe central database 216.

Drug consumer 212 information can also be added to the dosage rule file230 to allow for important alerts to be provided to the drug consumer212. This might involve information about low drug levels, low powerlevels or other critical information.

Example methods of encryption could be used to negotiate and facilitatethe extra protection required. For example, in some embodiments,public-key cryptography might be used. In this embodiment the centraldatabase 216 holds the public key for all deployed dispensing devices208, 236, 238 that are manufactured to be part of the system. Themanufacturer provides these public keys to the central database 216 aseach dispensing device 208, 236, 238 is built, tested and entered intothe system. The public key of the central database 216 is also installedinto each dispensing device 208, 236, 238 in a tamper-proof memory. Inanother embodiment a seed value might be used to negotiate a sharedsymmetric key between the dispensing device 208, 236, 238 and thecentral database 216. The seed value might be extracted from thecomputer 206 connecting 210 the dispensing device 208, 236, 238 and thecentral database 216 for example. In another embodiment the seed valueis a serial number of the dispensing device 208, 236, 238 that has alsobeen provided to the central database 216. The seed value is used tonegotiate a symmetric encryption key used to exchange information. Oncea secure path 242 is created all messages and dosage rule file 230 canbe uploaded to the central database 216.

As mentioned once the dosage rule file 230 is uploaded to the centraldatabase 216 the drug prescriber and drug dispenser 204 can review theinformation and change different parts of it if the drug consumer’s 212needs change. When the central database 216 places the dispensing device208, 236, 238 into the deployment stage, the dispensing device 208, 236,238 communicates status messages to the central database 216 on aregular basis. In some embodiments this communication occurs every timea drug is ejected to a drug consumer 212. In other embodiments thiscommunication 242 could occur once a day or every other day. Differentembodiments could be configurable and data communication failures atdifferent times could result in cached messages that are saved untildata communication paths 234 are reestablished. All messages 242 use thenegotiated encryption key to ensure that eavesdropping or manipulationof message is not possible.

Turning now to FIG. 3 there is another embodiment 300 of a networkoverview showing the use of a various dispensing devices 308, 342, 344.In some embodiments the process starts as the drug consumer 312 enters alocation 302 that holds prescription drugs. In other embodiments thedrug consumer 312 enters with an indication that the provisioningprocess has already been started by the drug prescriber. Therefore,there are several embodiments that can take place for the drug dispenser304 as they meet this drug consumer 312.

For example, in one embodiment they could be carrying a paperprescription 340 indicating the drug prescriber has not logged into thecentral database 316 and started the process of preparing the dosagerule file 330. In another embodiment the drug consumer 312 arrives witha paper with prescription-like information 340 but it simply points toan identification code for the dosage rule file 330 on the centraldatabase 316. In another embodiment the drug consumer 312 arrives andjust tells the drug dispenser 304 that they have a prescription waitingto be filled on a compatible national or regional e-prescribing service.This indicates to the drug dispenser 304 that the process of creatingthe dosage rule file 330 has been started. Unlike FIG. 2 , in thisfigure the drug dispenser 304 will connect to the central database 316or an e-prescribing service using one of several methods.

In FIG. 3 there is also the ability for a non-licensed person 304 toassist the drug consumer 312 when using the dispensing device 308, 342,344. This person 304 is acting as a proxy for the drug dispenser bycollecting the drugs on behalf of the drug consumer 312 and inserts theminto the dispensing device 308, 342, 344. They might have power ofattorney (POA), they might have POA for personal care or might be aspouse 304 or loved one 304. In these embodiments the owner 304 of thedispensing device 308, 342, 344 logins into the central database 316 andcreates a dosage rule file 330 in order to provision the dispensingdevice 208 and insert the necessary drugs. This could take place in anold age home, a hospital, a patient’s 212 home or any location where acomputer 206 is available.

In one embodiment the drug dispenser 304 opens a connection 314 througha network 322 with the intention of logging into the central database316. In one embodiment the drug dispenser 304 has created an authorizedlogin at the central database 316 and is able to use its interface 318to work with and update the dosage rule file 330. Once the drugdispenser 204 completes work on the dosage rule file 330 the centraldatabase 316, it can download the dosage rule file 330 to the correctdispensing device 308, 342, 344 using one of several possibleembodiments.

In this embodiment, unlike the examples shown in FIG. 2 , the drugwatchdog on the dispensing device 308, 342, 344 does much less work withthe drug dispenser 304 over the connection 310. In this embodiment, itjust needs to receive the dosage rule file 330 not built one itself. Inthis embodiment the drug dispenser 304 creates a new login at thecentral database 318 and goes through a verification process to provethey are in possession of a known dispensing device 308, 342, 344. Oncethey identify the dispensing device 308, 342, 344 and verify theypossess it, the dosage rule file 330 can be created and uploaded to thedispensing device 308, 342, 344. This is discussed later in thissection.

There are several possible embodiments when either the drug prescriberor the drug dispenser 304 use a login authorized by an externalaccredited legal entity. In one embodiment an e-prescribing system likePrescribelT™ in Canada is used to facilitate the online creation andmanagement of prescriptions.

In another embodiment the central database 316 contains the legallyauthorization codes and confirmation identifiers to enable theauthorization stage. In these embodiments various governing bodies fordrug prescribers provide detailed information for all known and licenseddrug prescribers in a given region or country. This confirms that agiven set of drug prescribers are certified and authorized to prescribedrugs to the general public.

For example, in Canada a doctor might acquire their license to practicefrom the Medical Counsel of Canada. With this license comes a number andidentification tracking mechanism. They can use this to create theirauthorized login and enter prescriptions into the central database 316.For drug dispensers 304 various governing bodies for drug dispenser’s304 provide detailed information for all known and licensed drugdispenser’s 304 in a given region or country. This confirms that a givenset of drug dispenser’s 304 are certified and authorized to dispensedrugs to the general public.

When an e-prescribing system is present the central database 316 uses acomputer-to-computer method that employs an application programinterface (API) to extract prescription information to create the dosagerule file 330. This was discussed in FIG. 1 in greater detail. Forexample, a system like PrescribelT™ uses a Java Script Object Notation(JSON) API to facilitate pharmacy management software (PMS) systems 306to interact with the data stored in the PrescribelT system. In thisembodiment there could be a two-step process. The first step would be tofirst locate the patient’s prescription on the e-prescribing system andimport it into central database 316 using several possible methods. Thesecond step would be to augment that information with any otheroperation parameters required and securely download that informationinto the drug consumer’s 312 dispensing device 308, 342, 344.

Once a drug prescriber is authorized, they can enter prescriptioninformation 340 into the central database 316 to begin building thedosage rule file. They can also print out some of this information 340for the drug consumer 312 to carry to the drug dispenser 304. For thedrug dispenser 304 once they have an authorized login to the centraldatabase 316, they can search for or create dosage rule files 330 todownload into dispensing devices 308, 342, 344.

With an authorized login the drug dispenser 304 has the advantage ofconnecting 310 the dispensing device 308, 342, 344 or not connecting 310the dispensing device 308, 342, 344. In the embodiment where they drugdispenser 304 does not connect the dispensing device 308, 342, 344, itis assumed the dispensing device 308, 342, 344 supports anotherconnection 336 alternative like a cellular connection or a WiFiconnection 336.

In other embodiments the drug dispenser 304 still connects 310 thedispensing device 308, 342, 344 into the computer 306 to reduce problemswith out-of-coverage and loss-of-coverage type radio frequency (RF)issues. When the central database 316 has both wired and non-wiredcommunications 314, 336 it provides maximum success and increasedoptions to ensure the data intended for the dispensing device 308, 342,344 reaches it as expected. This embodiment could be very helpful inremote communities where cellular coverage 336 is very spotty ornon-existent. This embodiment might be very useful in communities thatare sparsely served by public Internet access and only pharmacists andlarge businesses have such connections 314.

Another advantage for connecting 310 the dispensing device 308, 342, 344to drug dispenser’s 304 computer 306 is to create an authorization pathto a known, authorized and approved dispensing device 308, 342, 344. Inthis advantage the central database 316 has not been provided all theinformation on every licensed drug prescriber and every licensed drugdispenser 304. In this embodiment the drug dispenser 304 connects 310 anauthorized and known dispensing device 308, 342, 344 into their computer306. Only with the dispensing device 308, 342, 344 connected andrecognized by the central database 316 will they be able to create alogin and password related to this specific dispensing device 308, 342,344.

In this embodiment the drug dispenser 304 does not enter theidentification of the dispenser device 308, 342, 344, as it is alreadyconnected and the central database 308, 342, 344 and is in communication316 with the dispensing device 308, 342, 344. Part of the authorizationprocess involves the central database 316 retrieving that informationand assigned it to this drug dispenser 304, this login session anddosage rule file 330.

Once the drug dispenser 304 has logged in successfully to the centraldatabase 316 with or without a connected 310 dispensing device 308, 342,344, they are have passed the authentication stage and are ready to workon the dosage rule file 330.

As discussed already in some embodiments an identified dispensing device308, 342, 344 must be connected 310 before commencing to theprovisioning stage. In some embodiments the dosage rule file 330 hasalready been partially created and saved at the central database 316 byan authorized and accredited drug prescriber. In this embodiment thedrug dispenser 304 must locate the exact dosage rule file 330 for thisspecific drug consumer 312. In this embodiment the drug consumer 312must then identify themselves uniquely to the drug dispenser 304 beforethey can be assigned a dosage rule file 330. This identification mustmatch the partially created dosage rule file 330 created by the drugprescriber.

There are many possible embodiments to ensure an accurate match withinthe central database 316. In Canada this identification could be theirhealth card number, a passport number, a driver’s license or even asocial insurance number (SIN). In the USA this could be a drugconsumer’s 312 social security number (SSN), a driver’s license, a stateissued identity card or even a passport number. In other countries otherunique number-based or name-based identifiers could be used.

In some embodiments the drug consumer 312 is unable to produce theproper identification. This can happen for a number of reasons forexample the drug consumer 312 might be homeless and does not possessreliable or accurate photo identification. In this embodiment the drugprescriber has the option of using the dispensing device 308, 342, 344or a compatible biometric reader to take a biometric from the drugconsumer 312 and uploading it to the central database 316 and associatedto the dosage rule file 330. When this is done the drug prescriber canthen use the drug consumer’s 312 name as a stage one identification andthe biometric must then be used for a stage two identification. Thissame biometric information must then be provided to the drug dispenser304 to retrieve the dosage rule file 330 from the drug dispenser 304. Insome countries a sub-dermal implant might be used to hold a uniqueidentifier that acts like a quick RFID identification. Such systems usea form of RFID called near field communication (NFC) to energize andthen identify the holder of the sub-dermal implant. These any otherforms of identification are possible to confirm to the drug dispenser304 that the drug consumer 312 standing in front of them is exactly whothey claim to be.

Once the drug dispenser 304 receives a valid piece of identificationfrom the drug consumer 312, they can connect 314 to the central database316 to confirm the identity of the drug consumer 312 and to locate thedosage rule file 330 created for the drug consumer 312. In thoseembodiments where an identification is lacking the drug consumer’s 312name would be used initially to find the dosage rule file 330 but then abiometric would be needed next to confirm the dosage rule file 330 isfor them. In this embodiment the connection 314 takes place through anetwork 322 that can reach the same central database 316 used by thedrug prescriber when they created the dosage rule file 330. Theinterface 318 works in conjunction with the central database 316 toprovide a user-friendly method to search and locate this information.

In another embodiment the drug prescriber has not connected to thecentral database 316 and there is no partial dosage rule file 330 tofind. In this embodiment the drug dispenser 304 must input all thenecessary fields using the prescription information 340 brought to themby the drug consumer 312. In many embodiments this decision might beobvious based on the type of prescription form 340 handed to the drugdispenser 304. In this embodiment additional information is entered bythe drug dispenser 304, including password or access information for thedrug prescriber and other health professionals. This will allow the drugprescriber to modify the dosage rule file 330 at a later time and alloweveryone who has access to view the tracking information from thisdispensing device 308, 342, 344 provide by the drug watchdog.

Once the dosage rule file 330 is located or created by the drugdispenser 304, it can be downloaded to the correct dispensing device308, 342, 344. As already discussed in one embodiment the connection 310to the drug dispenser’s 304 computer 306 is used to facilitate thisdownload. This could take place using a connection method 310 like aUSB. In another embodiment a method like Bluetooth 310 or NFC 310 mightbe used. Other embodiments like Bluetooth 310 and NFC 310 might be moreuseful if the computer 306 is a tablet or smartphone was used inlocating and downloading the dosage rule file 330.

In other embodiments the drug dispenser 304 has a dispensing device 308,342, 344 and has not connected 310 it directly to their computer 306. Inthese embodiments the dosage rule file 330 is created on the centraldatabase 318 and is downloaded using a cellular connection 336. In thisembodiment the dispensing device 308, 342, 344 is known (e.g. verified)by the central database 316 to support cellular communications 336 andso secure messages 332 are sent using this communications medium 336.

As already discussed in FIG. 2 the communication between the centraldatabase 316 and the dispensing device 308, 342, 344 is facilitated bynegotiating an encryption key if one does not already exist. The manypossible embodiments for this encryption have been detailed. In allembodiments it is assumed a shared encryption strategy is used betweenthe central database 316 and the dispensing device 308, 342, 344. If anagile encryption strategy is used the central database 316 and thedispensing device 308, 342, 344 will use various embodiments to selectwhich encryption algorithm to use dynamically for each message or for agiven deployment period.

When the drug dispenser 304 does not connect 310 the dispensing device308, 342, 344 to their computer 306, they must go through a verificationprocess with the central database 318. This involves the drug dispenser304 providing identification information identifying the dispensingdevice 308, 342, 344 they have in their possession. Once theidentification of the dispensing device 308, 342, 344 is confirmed, anencrypted message 336 is sent to the dispensing device 308, 342, 344over the wireless network 334 to change the state of the dispensingdevice 308, 342, 344.

In one embodiment this state change might involve illuminating aspecific pattern on the LED lights. In another embodiment this statechange might involve playing a series of auditory sounds in a pattern.In another embodiment a number, or a phrase could be displayed on ascreen provided on the dispensing device 308, 342, 344. Once the statechange takes place the drug dispenser 304 must confirm the state changeon the central database 318 in order to confirm they are in possessionof the correct dispensing device 308, 342, 344. In some embodiments thisprocess could be repeated a few times verify the legitimacy of the drugdispenser 304 and their claims to be wanting to load drugs into aspecific dispensing device 308, 342, 344. Once verified the drugdispenser 304 is considered authorized and can then start to build thedosage rule file 330 to start the provisioning process.

Once the dosage rule file 330 is complete it can be securely downloadedover the encrypted wireless channel 332, 316 to watchdog programembedded and running on the dispensing device 308, 342, 344. Before thistakes place the dispensing device 308, 342, 344 sends one or moremessages 316, 332 about its current status.

In one embodiment, when connected to the drug dispenser’s computer 306,this information includes information available from the computer 306being used to connect 310 to the dispensing device 308, 342, 344. Thisinformation will be saved and used to validate drug dispensing 302locations. In other embodiments these messages will include the currentphysical contents of the dispensing device 308, 342, 344 and any otherstatus information held by the dispensing device 308, 342, 344.

In some embodiments the dispensing device’s 308, 342, 344 current statusmight not match the status being held by the central database 316. Forexample, in this embodiment there could be unsent status messages notyet received or processed by the central database 316. The currentstatus would also provide details on the last dosage rule file 330 itcontained if there was any. In these embodiments the number of remainingdrugs within the dispensing device 308, 342, 344 would also be provided.

In some embodiments this will be the first time it has ever been usedand so it has no current status. In some embodiments a status messagewill be provided that indicates a biometric is required from the drugconsumer 312 before the dosage rule file 330 can be downloaded to thedispensing device 308, 342, 344.

The central database 302 also interacts with the drug watchdog todetermine if the drug watchdog itself needs upgrading or changing. Thedrug watchdog within the dispensing device 308, 342, 344 runs along sidethe operating system (O/S) and any mechanisms used to eject drugs anddetect forced entry. If the dispensing device 308, 342, 344 is ready fora new dosage rule file 330 the central database 316 sends the dosagerule file 330 to the drug watchdog running within the dispensing device308, 342, 344.

With all checks performed between the central database 316 and the drugwatchdog on the dispensing device 308, 342, 344 the dosage rule file 330is downloaded 316, 332 over the selected channel 314, 336 depending onthe embodiment. Once this is complete the main compartment of thedispensing device 308, 342, 344 can be opened and the drug dispenser 304can insert the required drugs into the dispensing device 308, 342, 344.

In some embodiments once the dosage rule file 330 is successfullycommunicated 316, 332 to the drug watchdog, it automatically opens thereceiving compartment on the dispensing device 308, 342, 344 inpreparation for drugs to be inserted. In other embodiments the drugwatchdog might activate a switch to relieve a locking mechanism so themain compartment can be physically opened by the drug dispenser 304.Once the drugs are inserted by the dispensing device 304 the compartmentis closed and the dispensing device 308, 342, 344 can move to the finalstep of provisioning.

The final step of provisioning involves the collection and verificationof the drug consumer’s 312 bio-identity. To reach the fully provisionedstage, the drug consumer 312 must first provide a bio-identity input tothe dispensing device 308, 342, 344.

As already discussed, the bio-identity will include a biometric inputfor retrieving every drug dose and potentially one or more biomedicalinputs. After successful provisioning of the bio-identity input thedispensing device 308, 342, 344 enters the provisioned stage, which itcommunicates to the central database 316. Once in the provisioned stagethe central database 316 has sole discretion when to begin thedeployment phase, which begins the execution of the dosage rule file330.

The drug consumer 312 now is in a position to consume the drugs withinthe dispensing device 308, 342, 344 following the exact instructionsprovided by the drug prescriber. As discussed, the drug consumer 312will have to provide their bio-identity each time the they want toaccess the dispensing device 308, 342, 344 to take their next dose ofdrugs.

During this deployment state the dispensing device 308, 342, 344communicates status messages to the central database 316 on a regularbasis. In some embodiments this communication 316, 332 occurs every timea drug is ejected to a drug consumer 312. In some embodiments the drugconsumer 312 might have to provide biomedical data every day to beapproved for continued drug doses.

In other embodiments this communication 316, 336 could occur once a dayor every other day. Different embodiments could be configurable and datacommunication failures at different times could result in cachedmessages that are saved until data communication paths 314, 336 arere-established.

All messages use the negotiated encryption key to ensure thateavesdropping or manipulation of message is not possible. In someembodiments the dispensing device 308, 342, 344 is equipped withcellular capabilities to communicate tracking and usage information innear real-time. In this embodiment one of several cellular OEM chipsetsare used to provide 3G, 4G, LTE and WiFi (802.11) type communicationoptions to the dispensing device 308, 342, 344.

In some embodiments these options are important when a drug consumer 312takes the dispensing device 308, 342, 344 with them from the drugdispensing location 302. In these embodiments the drug consumer 312 mayor may not have connectivity at home and in some cases they may behomeless. In other embodiments the dispensing device 308, 342, 344 usesjust WiFi either in the drug consumer’s 312 home, or at any public, openWiFi hotspot.

Since all messages over this communication path are encrypted the use ofpublic, free WiFi hotspots is not a problem. In other embodiments thedispensing device 308, 342, 344 is plugged into the drug consumer’s 312computer at the end of the day for charging and any outstanding statusmessages are sent to the central database 316 at this time.

Turning now to FIG. 4 there is an illustration 400 of two embodiments ofthe drug dispenser being used by a patient for accessing their drugs.These two drug consumer examples 402, 408 show two embodiments where thedrug watchdog runs on separate computers 406, 410 from the drugdispensing equipment 404, 412. The drug dispensing equipment 404, 412can include a compartment for the drugs that has a transceiver toexchange data. The separate computers 406, 410 have hardware processorsin communication with the drug dispensing equipment 404, 412 overcommunication link to exchange data and control commands. For example,separate computers 406, 410 have hardware processors in communicationwith the drug dispensing equipment 404, 412 to send a control command toopen the compartment for the drugs. The drug dispensing equipment 404,412 can send messages to the separate computers 406, 410 indicatingclosure of the compartment. The dosage rule file can encode identifiersfor the drug dispensing equipment 404, 412. The separate computers 406,410 with the dosage rule file can use the identifiers to exchange dataand control commands. The separate computers 406, 410 can establish asecure communication link to the dispensing device equipment 404, 412for data exchange to open the compartment by sending control messages,for example. The dispensing device equipment can be separate from ahardware processor running the watch dog program. The dispensing deviceequipment 404, 412 can also be referred to as dispensing equipment ordrug dispensing equipment, for example.

The first embodiment the drug consumer 402 is given an electronic wand406 that has a hardware processor that runs the drug watchdog software.The wand 406 has non-transitory memory storing the drug watchdogsoftware. The wand 406 receives the drug consumer’s 402 biometricinformation and communications with the central database. The drugwatchdog running on the wand 406 is capable of cellular communicationsand receives the drug dosage file for execution. Before being given tothe drug consumer 402, the drug dispenser forms a relationship betweenthe wand 406 and the drug dispensing equipment 404 so that only thisunique wand 406 is capable of opening and accessing drugs with the drugdispensing equipment 404.

In this embodiment the wand 406 also provides the user with visual andauditory prompts to take their drugs. It also informs them which slotshould be opened and when and only the designated slot will open at thecorrect time after the drug consumer 402 verifies their identity throughthe one or more bio-identity requirements.

In other embodiments the wand 406 might be attached and only optionallyremoved by the drug consumer 402 in those situations where they aretraveling around their building or two the grocery store or somespecific outing.

To prepare the wand 406 for the drug consumer, the drug dispenser willassign the wand’s unique identification 406 to this drug dispensingequipment 404 through the interface provided at the central database.Once the drug dispensing equipment 404 and a specific wand 406 areassigned to a patient, the wand 406 is given the dosage rule file andwill work with that drug dispensing equipment 404 to dispense drugs forthe drug consumer 402. Communication between the wand 406 and the drugdispensing equipment 404 can be over secure Bluetooth or secure NFC.

In those embodiments where the wand 406 and the drug dispensingequipment 404 are integrated and inseparable, only one identification isrequired when assigning it to the drug consumer 402.

The second patient shown 408 has downloaded the drug watchdog app totheir cell phone 410 and intends to use this as their drug authorizationand control center for extracting their drugs from the drug dispensingequipment 412. The biometric reader of the cell phone 410 can then beused by the drug watchdog to verify the drug consumer’s 408 identitybefore releasing drugs. The display and notification systems of the cellphone 410 can also be used to remind the drug consumer 408 to followtheir drug regimen.

The first step for the drug dispenser in this embodiment is to selectthe drug dispensing equipment 412 that is available and matches the typeof drugs to be dispensed. The serial number or identification number ofthe drug dispensing equipment 412 is then assigned to the drug consumer408 through the central database interface provided.

To prepare the cell phone app 410 to work with the drug dispensingequipment 412, the drug dispenser will provide a unique identificationcode through the interface of the drug watchdog app on the cell phone410. This identification code can be generated by the central databaseand be temporary valid for the duration of the dispensing period, toallow the drug watchdog to register with the central database. The drugdispenser will also provide a private identification code of theselected drug dispensing equipment 412 through this same interface. Thisvalue is given out-of-band and is not transmitted through a datacommunications link. The identification code for the drug watchdog app410 and the serial number for the drug dispensing equipment 412 are thenassigned to the drug consumer 408 to create a secure and unbreakablerelationship.

When connecting the drug watchdog app 410 then identifies itself to thecentral database to receive the dosage rule file and drug dispensingequipment 412 serial number. With both the serial number and the privateidentification code, the drug watchdog 410 can then connect security tothe drug dispensing equipment 412. Using this method there is no chanceof a man-in-the-middle attack of the connection process between the drugwatchdog app 410, the drug dispensing equipment 412 and the centraldatabase.

The drug consumer can then use this drug watchdog 410 with other drugdispensing equipment (not shown) and follow the same process with a drugdispenser to create unbreakable bonds with many types of drug dispensingequipment. The drug watchdog 410 can then assign the drug consumer 408to greater levels of drug adherence.

Turning now to FIG. 5 there is a more detailed illustration 500 of adrug watchdog program working within a drug dispensing system 500. Insome drug dispensing system 500 embodiments, the drug watchdog program520 is working within the same physical enclosure 540 as the drugdispensing equipment 502. In other drug dispensing system 500embodiments, the drug watchdog program 520 communicates through thecommunication sub-system 508 of the drug dispensing equipment 502 tofacilitate the extraction of drugs. In all embodiments the drug watchdogprogram 520 has control over the dosage rule file 522 and following theinstructions within this file to determine who can open and access thisfile and how it is executed.

The drug dispensing equipment 502 is running a controller piece ofsoftware called a computer device O/S (operating system) in thisillustration. In some embodiments this software could also be referredto as firmware on an embedded device. The O/S or firmware providesinterfaces to a series of sub-systems available for use by one or moreprograms trying to control the drug dispensing equipment 502. In oneembodiment these sub-systems could be reached using application programinterface (API) calls. In other embodiments these sub-systems can belinked directly to programs loaded onto the drug dispensing equipment502. The illustration 500 is provided as an example of one embodimentand other possible sub-systems could be included in other embodiments.

For example, within the mechanical sub-system 504 could be embeddedsub-systems like a warning-light sub-system, timer display sub-systemsand other sub-systems. This illustration shows just a few possiblesub-systems, like the camera sub-system 538, the tamper-detectionsub-system 536, the bio-information collection sub-system 532 and itsrelated external input sub-system 534. These and many other specializedfeatures might be present when the drug dispensing equipment 502 isdesigned and manufactured. There could also be auditory sub-systems formaking sounds and a display to display various messages to the drugconsumer. Another example could include an accelerometer sub-system,when a given printed circuit board (PCB) includes an accelerometer chip.In the other advanced sub-systems there could be a camera or some othervideo-capable equipment. Further there could be heartbeat monitors,blood analysis mechanisms or even urinalysis equipment built into thedrug dispensing equipment 502. Many other possible enhancements could beincluded depending on the needs and design goals of the drug dispensingsystem 500.

The first sub-system listed is the communication sub-system 508. Thissub-system would be used to delivery tracking messages 524 and sendingor receiving the dosage rule file 522. There have been many possiblecommunication methods discussed for this sub-system 508, include USB,Bluetooth, Ethernet and cellular communications. This sub-system 508might support just one or many of these types of communication methodsfor the dispensing device. A sub-system includes computer hardwaredevices, such as hardware processors and non-transitory memory.

In some embodiments the communication sub-system 508 is used to securelycommunicate with the drug watchdog program 520 to facilitate the variousmechanical sub-systems 504 to dispense drugs. In other embodiments thedrug dispensing equipment 502 might have its own biometric sub-system532 that might be activated and controlled by commands from the drugwatchdog program 520.

The communication sub-system 508 is also used to negotiate theencryption key with the central database. The next sub-systemillustrated is the timing sub-system 506. The timing sub-system 506might allow for programs to set timer alarms and be notified when thetimer expires. Such timers are often used to indicate the passage oftime. Each time the timer sub-system 506 indicates it is time foranother drug dose the drug watchdog 520 will go to thebio-identification sub-system 532 to get a biometric confirmation of theaccessing person’s identity before allowing them to become the drugconsumer. Further use of the bio-identification sub-system 532 ispossible for biomedical inputs following the dosage rule file’s 522configuration

The memory sub-system 510 is the next sub-system shown and is used tostore and retrieve information which is local to the drug dispensingequipment 502. When the drug watchdog program 520 is running within thedrug dispensing equipment 502, the memory sub-system 510 will be anencrypted back-up copy of the dosage rule file 522, should the drugdispensing equipment 502 fail or have a re-boot occur. The currentencryption key would also be saved in a tamper-proof section of thememory sub-system 514. Such tamper-proof memory chips 514 are common onsmartcards and other advanced circuits and are often referred to assecure enclave processors 514. The tamper-proof memory sub-system 514can also be used to store tracking messages 524, encryption keys andother data that needs the highest level of security.

The next sub-system is the GPS sub-system 512 which would be used toretrieve the current GPS co-ordinates on the globe. In some embodimentsthe drug watchdog 520 uses the GPS co-ordinates in every message toprovide real-time tracking of a drug consumer and their whereabouts.

The next sub-system is collection of mechanical sub-systems 504 thatcould include a camera sub-system 538, a tamper-detection sub-system 536and many others. In this illustration, the tamper detection sub-system536 would be used to detect any attempts to forcibly open or break thedrug dispensing equipment 502 to steal drugs out.

The mechanical sub-system 504 would be designed to provide control tophysically moving parts, LED, auditory and display sub-systems withinthe drug dispensing equipment 502. Different embodiments might requirethe movement of a lock to allow the dispensing of a single dose ofmedication for example. Other embodiments might also involve the openingof a lid to fill the drug dispensing equipment 502 with a fullprescription of drugs. At different times the mechanical sub-system isused to illuminate one or more LED lights to inform the drug consumer ofa specific state. This might include many different states, for examplewhen to consume drugs, when the power is low, or when wireless coverageis poor to name just a few important state changes.

In the other advanced sub-system 530 two sub-systems are illustrated.First is the bio-identification sub-system 532, which is used to acceptbio-identification from a drug consumer using one of many possiblemethods. In some embodiments the bio-identity sub-system 532 is runningin a separate physical housing, like in a cell phone running the drugwatchdog 520. In other embodiments the bio-identity sub-system 532 isseparate from both the drug dispensing equipment 502 and the drugwatchdog program 520 and the communication sub-system 508 must be usedto communicate with it.

Embedded bio-identity methods and types could vary between drugdispensing equipment 502, depending on the design and chip set usedwithin the PCB, the type of bio-identity needed for different drugs anddrug consumers.. In some embodiments the bio-identity sub-system 532might also include both biometric input and biomedical input options. Insome cases, a specialized link to an external input sub-system 534 mightbe included to collect data from the user. This could include EKGmonitors, blood pressure readings, heart rhythms detectors and manyother.

Once installed and configured with the correct security information thedrug watchdog program 520 communicates with the O/S or firmware runningwithin the drug dispensing equipment 502. The drug watchdog program 520provides oversight to the operation of the drug dispensing equipment502.

The drug dispensing equipment’s 502 basic operation starts and ends ascontrolled by the drug watchdog program 520. Broadly speaking, itinforms the user when their next pill is required and at the push of abutton dispenses the drugs required. The drug watchdog program 520 alsocreates a tamper-proof and secure environment where a dosage rule file522 can be securely downloaded and stored in the memory sub-system 510,such that it can’t be changed, modified or damaged without beingdetected.

Another goal of the drug watchdog program 520 is to provide trackingmessages 524 for a range of situations and events. These trackingmessages might indicate each time a drug is dispensed from the drugdispensing equipment 502 for the drug consumer. In those embodimentswhere the drug watchdog program 520 is running in a separate computer,these messages are related through the communication sub-system 508 tothe drug watchdog program 520 for delivery to the central database.Other messages could indicate if someone is trying to break into thedrug dispensing equipment 502. When available, messages about currentlocation from the GPS sub-system 512 would be valuable to understandwhere the dangerous drugs are, especially in the case where the drugconsumer misses a dose and could be in distress or if the dispenser hasbeen stolen.

The drug watchdog program 520 also uses the bio-identificationsub-system 532 within the advanced sub-systems 530 section to firstmemorize the identity of the current drug consumer using a biometricinput. The current dosage rule file 522 will be received and targeted tothe needs of this specific drug consumer.

When first provisioned by a drug dispenser the drug watchdog 520 mightuse the mechanical sub-system 504 to open the main door so the entireprescription of drugs can be inserted into the drug dispensing equipment502. Once initiated the drug watchdog 520 would make use of the timingsub-system 506 to know precisely when the next dose should be dispensedout of the drug dispensing equipment 502. In some embodiments a LEDsub-system might be presented to allow the drug watchdog to illuminate alight to tell the user their dosage time has been reached.

There are many other algorithmic procedures that are possible with thesub-systems and computers involved in a drug dispensing system 500 asdescribed.. For example if the tamper detection sub-system 516 sends analarm to the drug watchdog 520 this might trigger the drug dispensingequipment 502 to never open again (until it is re-programmed by the drugdispenser) and to send an immediate message to the central databasewarning of the intrusion. In another embodiment the drug dispensingequipment 502 might include a terminate drugs sub-system. In thisembodiment the drug watchdog 520 might send a message to this sub-systemresulting in the release of a liquid substance into the main drugcontainer. The liquid substance would then cause the destruction of allthe drugs contained within it so that no unauthorized access would bepossible.

There are many other possible sub-systems that could be present toperform advanced functions 530. In one embodiment there is a sub-system534 to interact with a wearable device that detects whether the drug hasbeen consumed and ingested by the drug consumer. The chemical reactioncaused by the drug consumer’s stomach acids on the chemicals creates adetectable signal. This signal is then passed through the advancedsub-system component 530 to the drug watchdog program 520 to allow forthe next dose of drugs to be ejected. There are many other embodimentspossible with the addition of hardware and software components.

Turning to FIG. 6 there is one embodiment of a user interface 602 for anauthorized user to set up a dispensing device for a patient needingprescription drugs. There are many possible embodiments for a UserInterface (UI) 602 to allow a drug prescriber and a drug dispenser toprepare and complete the assignment of a dispensing device a drugconsumer. This illustration 602 represents a simplified single view of aconfiguration screen that explains the process in general for the drugdispenser. It is not meant to limit in any way all the myriad of otheralternative visual approaches and alternative configuration settingsthat would be possible. The interface 602 can be used to create ormodify the dosage rule file encoding the dosage information forcontrolling the dispensing device (and related dispensing equipment).The dosage rule file can include identifiers for the dispensing deviceand related dispensing equipment. For example, the dispensing device anddispensing equipment may be separate components and the dosage rule filecan indicate an identifier for the dispensing device and dispensingequipment, and can also include communication data to establish a securecommunication path, protocols, and message exchange data.

In this example screen the authorized user has logged in andauthenticated themselves with the system 604. This might be a doctor, apharmacist or even a loved one or caregiver wanting to set up thedispensing device for the drug consumer. The patient information 606section can be very extensive or relatively straightforward. In somecases the information about the patient might come from a PharmacyManagement System (PMS) or an Electronic Medical Records (EMR) system.In other embodiments the information might come from prescriptioninformation held at a central prescription database like PrescribelT™ inCanada.

With the patient selected 606, the authorized user can enter anyemergency contacts 608 in this example. There could be family members,doctors, pharmacists, specialists, healthcare professionals, nurses andnursing-home support workers to name a few 608. In this example witheach contact a cell phone or email contact could be provided. With thisinformation the authorized user can set up one or more of the contactsto receive alert information 608 should the dispensing device trigger analert. For example, if a drug dose is late to be consumed, or is late, adispensing device is running low of drugs or running out of battery lifean alert could be sent to many people.

The authorized user can then enter treatment plan information 610 forthis patient 606. For this example, a drug dispensing start date isprovided to tell the dispensing system when to commence the dispensingprogram. A list of the drugs to be taken are provided along with theirfrequency 610.

The dispensing device and/or related dispensing equipment can bereferred to as a dispensing machine in some example embodiments. Ifadditional specific times are provided each dispensing slot within thedispensing machine can have a very exact time when it is required tomake the dose available for the patient. These times would be based onthe number of total slots that are loaded, current shown as ‘N’ slots610.

The treatment plan can also include advanced settings for the alerts andalarms that are generated for this patient 618. For example, a dosemight be considered late after a certain number of hours and minutes.Similarly, a missed dose might be considered after so many hours andminutes. A minimum dose interval might be added to ensure the patientdoes not accidently take two doses too close to each other 618.

Finally in the treatment plan could be other advanced treatment options620. These might include certain parameters that are used less frequentand in some cases for specialized drugs or patients. For example, if thedrug being taken is a high-risk opioid then additional bio-identitycheck or photographic evidence might be requested. In other examples,the drug could be experimental, like a new cancel treatment. In thiscase perhaps a specialized urine sample is needed once a day to verifythe side-effects of the drug on the patient 620.

Once the treatment plan is selected the authorized user can pick adispensing device to assign to the patient 612. There are many potentialembodiments for this section. In this example different types of drugdispensers are listed for the authorized user to pick from. Their statusis shown and in other embodiments perhaps only available drug dispensingdevices are listed.

Once a dispensing device is selected, additional control information canbe verified from the authorized user 614. This might include selectingwhether the system uses a cell phone, wand or is full integrated 614.With the control method selected, the type of biometric supported bythat method can be determined and required by the drug watchdog program614. The last step shown in this example is the selection of thecommunication method between the drug watchdog program to the drugdispensing equipment can be selected as well 614. If an integratedsystem is used then this would be not applicable (N.A.)

Depending on control method 614, additional security values and codesmight be needed 616. If a separate control device is used to run thedrug watchdog program, like a cell phone, a code value can be generatedby the central database and manually entered into the control devicebeing used. Since all drug dispensing equipment is registered with thecentral database, a code value for this equipment can be presented by UIto the authorized user to provided to the drug watchdog program 616.

Turning to FIG. 7 there is one embodiment of a user interface 702 for anauthorized user to view patient compliance and usage information for anassigned dispensing device. There are many possible embodiments for aUser Interface (UI) 702 to show an authorized user detailed informationand statistics about how a drug consumer is progressing with their drugtreatment plan. This illustration 702 represents a simplified singleview of message summary screen that depicts a sub-set of allinformation, current and historical that would be possible. It is notmeant to limit in any way all the myriad of other alternative visualapproaches and alternative advanced graphic presentation methods thatwould be possible.

The interface 702 can be used for viewing patient compliance and usageinformation, and also to allow adjustment of dosage parameters in thedosage rule file.

The interface 702 can be used to create or modify the dosage rule fileencoding the dosage information for controlling the dispensing device(and related dispensing equipment) and to view a variety of feedbackinformation provided by the dispensing device and related dispensingdevice equipment. The interface 702 displays data collected during thesecure monitoring of the dispensing device and related dispensing deviceequipment.

Once logged into the system the authorized user 704 can navigate over tothe patient compliance and usage screen 702. First, they will have topick a patient to review and look at 706. This will bring up theirtreatment summary information, statistical and historical data. Theymight be able to perform some actions on the dispensing device 710. Thetwo example actions shown are to return the device 710 or to report aproblem with a device 712. Other actions could include forcing a dose tobe expelled immediately for the patient, request the biometric bereacquired from the patient and many other actions.

The authorized user 704 might then be given an opportunity to changeconfigurable elements of the treatment plan 708. This might include thetime certain drugs are released, the limits on late doses or misseddoses and other soft-based configuration settings. Without thedispensing device in hand, they are not able to change the physicalelements of the system, for example the number or types of drugscontained in a certain dispensing slot.

The compliance and usage screen 702 might have various adherencedisplays and statistical numbers for the authorized user 716, 718. Inthis example, the adherence shows a 94.5% adherence level with 12 dosestaken to date, 2 late doses and 1 missed dose 716. The dosing activityis presented as well 718, showing the exact action of each dose slot,time it was released and whether it was missed and has no extractiontime 718.

Finally, the authorized user might be able to view historical data 720that shows the patient’s overall adherence percentage over manydeployments of the dispensing system 720. This example the patient hasachieved a 96.7 percentile of adherence with an average deployment of 15days per dispensing device. It also looks across all data to determinethat the highest missed dosing period is 5pm in the evening. Thisexample is but one of many possible embodiments of what could bepresented with all the historical data collected in the system. Turningnow to FIG. 8 there is a dataflow diagram 800 of one embodiment for adrug prescriber to set up a dosage rule file. The drug prescriberreceives the drug consumer and after examination and discussions decidesthat the patient could benefit from a high-risk prescription 802.

First the drug prescriber must decide if they are going to use theiroriginal prescription method or the newer prescription method using acentral database described in this patent 804. In some embodiments thiscould be related to whether the drug prescriber considers the drug highrisk enough to bother with the more elaborate steps involved withworking with the central database.

In other embodiments they are not up to speed on newer prescriptionmethods for high risk medications. If they are not going to use thenewer method, the drug prescriber writes up the prescription on theirtraditional customized prescription pad or on their local computersystem 806. In some embodiments they might also have a remoteprescription computer site they are already working with to prepareprescriptions 806. Advanced e-prescribing solutions like PrescribelT™are starting to be used by more and more doctor’s offices. This choicewill lead the drug consumer to hand-carry their prescription to a drugdispenser to be filled or perhaps present a document indicating theyhave an e-prescription started.

Alternatively, the drug prescriber is willing and able to work with thenew prescribing method for high risk drugs. The first step is for thedrug prescriber to request valid identification from the drug consumer808. If the drug consumer does not have a valid piece of identification,then a specialized biometric method could be used 810. If the biometricis not available, the drug consumer will have to be turned away 812.They might go to a more advanced drug prescriber, a hospital or anadvanced clinic where they can use their biometric. In other embodimentsthey will be faced with acquiring the proper identification ofthemselves.

If the biometric method is available 814, the name of the drug consumeris taken and used as the primary lookup 814. At the same time thebiometric of the drug consumer is also taken 814. In some embodiments adispensing device is given to the drug prescriber for the sole purposeof capturing biometric. In other embodiments a biometric reader, whichis compatible with the dispensing device is used to collect theinformation. The device that is used is attached to the drugprescriber’s computer where it captures and transmits the biometric overthe link to the computer. The computer program or browser available tothe drug prescriber holds this and uploads it when requested after thelogin stage. The biometric might be a fingerprint, a facial scan, a palmdeep vein scan or some other type of biometric. In other embodiments thedrug consumer, especially if they are homeless and without photoidentification, might have a sub-dermal implant that provides a uniqueidentity 814. Once this is collected the drug prescriber can proceed tolog into the central database 818 with this information.

If the identification provided by the drug consumer meets therequirements set forth by the drug prescriber, then normal procedurescan be used 816. In some embodiments the valid identification can beanything that has an address and a photograph of the person. In otherembodiments the drug consumer might have some advanced identificationlike a sub-dermal implant with an NFC identification chip. In someembodiments the identification used with the drug prescriber must beidentical to the identification used with the drug dispenser. Thesedetails will be made known to the drug consumer as the drug prescriberbuilds the dosage rule file at the central database.

In those embodiments a reference number like a health card number ordriver’s license will be recorded and will have to be matched laterbefore the prescription will be dispensed. With a valid identificationfrom the drug consumer 816 the drug dispenser can log into the centraldatabase and provide the ID and indicate the type of ID used 818. If theidentification is a driver’s license or some other physical form ofidentification this is indicated. If the identification is a biometric,then this is indicated. In this embodiment the central database savesthis information and uses it for the next step.

Once the identification is entered an advanced search is performed 820by the central database. This advanced search will use the drugconsumer’s name, their identification and their bio-identification ifprovided to see if there is any reason why this drug should not beprescribed to this drug consumer 820. In some cases the drug consumermight be doctor-shopping in order to get multiple prescriptions of thesame drug in order to abuse the drug. If the drug consumer provides afalse name and has false photo identification then there could beproblems tracking down the fact that they are trying to abuse thesystem. In these cases the biometric method is the best method to catchthem and stop their potentially abusive activities. If the drug consumeris not safe to prescribe the requested drug 822 they will be turned away824.

If the drug consumer is not matched in the system, the drug prescribercan continue through the remaining steps to setup and configure aprescription file for the drug consumer 826. An example UI for this stepis provided in FIG. 6 . There are many embodiments for what a dosagerule file contains. In table 1 of this application provides some examplefields for the dosage rule file, for example it could have the drug nameand in some cases the manufacturer, the strength of each dose and thefrequency of dosage. In other embodiments the drug prescriber can alsoindicate the drug-overlap so that the dispensing device can be re-filledbefore it is completely empty. In this embodiment the interface mightdefault to 3 dosages and the drug prescriber can adjust that when theytalk to the drug consumer 826.

Turning now to FIG. 9 there is a data flow diagram 900 of one embodimentshowing the first interactions between a drug dispenser and a drugconsumer. A drug consumer arrives at a drug dispenser’s location andrequests that a prescription be filled for drugs that require the use ofa dispensing device 902. This could be any form of drugs and in someembodiments include high-risk and highly addictive drugs that they havebeen prescribed 902.

In other embodiments the drug consumer is supported by a health careprofessional, family member or loved one and the location is a healthclinic, old age home, senior care facility, the drug consumer’s home ormany other possible places. The first decision to be made is todetermine if the drug dispenser has an authorized login at the centraldatabase 904. They would be authorized if they have been professionallyaccredited by a governing body in one example. It is also possible theyare using an e-prescription service and have an authorized login theycan use there.

If they are already authorized, or have the ability to create thatlogin, they can proceed to log into the central database 906 and fulfillthe authorization stage of the system. They would be presented with a UIsimilar to the one presented in FIG. 6 . They can then look at what thedrug consumer hands them or tells them and decide if the drug prescriberhas already started the process of creating an e-prescription 908. Insome embodiments the dosage rule file 908 may be have started on thecentral database. In other cases, the e-prescription might have beenstarted on a regional or national e-prescription service.

If they believe there should be a dosage rule file started at thecentral database or a e-prescribing service, they proceed to do thenecessary work to find it 910. If an e-prescribing service has beenused, then the information can be extracted using APIs and a dosage rulefile can be started using this information. In these embodiments thedrug dispensing might be working with a Pharmacy Management System(PSM). When a PMS is used there could be a two-step process for buildingthe dosage rule file.

In this embodiment the drug dispenser first locates the existinge-prescription on the server and downloads the patient’s prescriptionscript. The second step is when this information is imported into thecentral database using various APIs, like JSON as previous discussed.This path leads to a series of additional steps on FIG. 11 912. Ifhowever the drug consumer indicates they do not have a dosage rule fileor an e-prescription already started 908, then the drug dispenser willhave to create a new dosage rule file 914. The drug dispenser will haveto collect identification information from the drug consumer and beginto fill in the dosage rule file information 914. To perform these stepsthe logic leads to a series of other steps found in FIG. 1 916.

If the drug dispenser does not have authorization at the centraldatabase 904 a different set of steps are required for them. First, theymust determine if the drug consumer has brought them a compatibleprescription that is located on the central database 918. In thisembodiment the drug prescriber has started the dosage rule file on thecentral database or an e-prescribing service, but the drug dispenser isunable to find it and continue building it 918. This can happen when thedrug dispenser is not authorized or is relatively new and has not beenadded to the central database.

In other situations, perhaps in a remote community the drug dispenserdoes not have access to a public network like the Internet. Maybe thedrug dispenser is older and very set in their ways and refuses to makethe effort to create a login account for themselves at the centraldatabase. This might also happen if a health profession or family memberis trying to use the dispensing device, but a real pharmacist is neededto facilitate this. In these situations the drug consumer will have tobe turned away and will have to find another more advanced drugdispenser 920.

However, if the drug consumer hands them a prescription that has notbeen started on the central database 918, the drug dispenser can stillprovide a safe means to deal with this drug. The first decision the drugdispenser makes is whether they want to login to the central database922. If they do not want to bother, they will have to attach the drugdispensing device 924. Since the dispensing device acts as an extensionof the central database, it can perform the authorization stage onbehalf of the central database for the drug dispenser. In someembodiments this connection could be a USB connection, in otherembodiments it could be a Bluetooth connection just to name a few. Insome embodiments a Bluetooth connection is useful when a cellphone isused in the authorization and provisioning stages. After connecting thedispensing device 914 they open an interface using an Internet browseror a custom-built application to the drug watchdog on the dispensingdevice over the connection that has been established 926. This path thenleads to a series of provisioning steps in FIG. 10 928.

Otherwise if they do want to create or use an existing login on thecentral computer, they open an interface to the central computer 930using an Internet browser or a dedicated, custom-built application. Thisleads them to the path of creating a new dosage rule file from scratchon the central database 914. This path leads to a series of steps forcreating a new dosage rule file in FIG. 11 916.

Turning now to FIG. 10 is a data flow diagram 1000 of one embodiment fora drug dispenser to work directly with a dispensing device to provisiona dosage rule file. Since the drug dispenser has elected to workdirectly with the dispensing device, they have opened an interface overthe connection established. There are several embodiments for how toview the interface, for example an Internet browser might be used andthe dispensing device provides HTML compatible messages for the drugdispenser. In another embodiment a custom-built application can be usedto talk to the dispensing device using a proprietary interface format.This embodiment would be more frequently used with a fully integrateddispensing device, where the drug watchdog program is running within thesame physical enclosure.

Whatever interface is provided to the drug dispenser they must waituntil the connection is successful. If not connected 1004 they might begiven warning to try other methods or other computer links. In someembodiments if universal serial bus (USB) is used then perhaps they haveplugged the dispensing device into a bad USB connection on the computer.Most computers have two or three USB ports to choose from. In otherembodiments if a Bluetooth connection is used perhaps coverage is anissue or the computer doesn’t support Bluetooth, or the Bluetoothpairing protocol has failed for some reason. In these embodiments itmight be best for the drug dispenser to switch from Bluetooth to USB toreduce frustration. In some embodiments if a connection method is usedthat does not involve a physical connection like Bluetooth for example,the drug watchdog program on the dispensing device might perform achange in state on the dispensing device to challenge the user 1004.This change of state could be illuminating a unique combination of LEDlights, making a sound, or displaying a set of numbers or letters on ascreen. This ensures that someone who is physically close but not incontrol of the dispensing device. In these embodiments the change instate of the dispensing device will require confirmation on theinterface that ideally cannot be seen by the person trying to hijack thedispensing device. The goal is to ensure a nefarious individual does notsucceed in confusing or taking control of the login process.

This process will continue until a solid connection is detected and hasbeen verified before the drug dispenser can proceed to the next step.Since the drug dispenser is not connected to the central database thedispensing device must rely on its cellular capabilities to create asecure link to the central database. This is where the dispensing deviceis acting as a proxy for the central database to create anauthorization.

In many embodiments the RF cellular link could be over a wide-areawireless technology like GSM, EDGE, UTMS, 4G, 5G or future 6G typenetworks. In other embodiments the RF link is over a WiFi networkfollowing 802.11 protocols. In this embodiment where WiFi is used by thedrug dispenser, they will have to provide their WiFi password and accesscodes for the dispensing device to establish its secure link.

The interface will inform the drug dispenser whether a solid cellularconnection has been established or not 1006. If these attempts fail theinterface will provide some guidance and suggest re-positioning thedevice or even in some cases trying another dispensing device 1008. Ifthe drug dispenser can’t get a reliable link they may have to abandonthe effort.

Otherwise once the RF link is established the drug dispenser will begiven the login screen from the drug watchdog 1010. The login screenmight require them to reenter a previously established login. In someembodiments the login might be just a password or access code. In otherembodiments the login could be a login name and a login password. Inother embodiments it could be a login name, login password and an answera familiar question challenge, like where were you born 1010. If thelogin attempt fails 1012 then the dispensing device is blocked from them1014. In some embodiments there could be there are drugs still insideand inappropriate attempts are being made to get into the dispensingdevice 1014. In some embodiments after several wrong answers thedispensing device might start to send alert messages to the centralcomputer. The central computer might in turn send out alert emails toall health care professional associated to this dispensing device. Toomany failures in entering an existing password can result in thedispensing device shutting down the interface for a period of time todiscourage the password attack.

Once the old password is entered or a new password is created for abrand-new dispensing device 1012 the drug dispenser can begin theprocess of creating a new dosage rule file 1016. The drug dispenser goesthrough a series of questions and answers to fill out a table similar tothe example provided in Table 1.

Once the required answers are provided the drug watchdog on thedispensing device is ready to establish or confirm their encryption keywith the central database and begin exchanging messages. This includesgetting status information to the central database, uploading the dosagerule file and getting status back from the central database about thedosage rule file. A review is done by the drug watchdog to ensure theupload was good and the status is good from the central database 1018.

There are several embodiments of what the status from the centraldatabase could indicate. For example, it is possible that when the drugdispenser uses this dispensing device method to distribute high-riskdrugs that a biometric is required from every patient 1020. In thisembodiments a biometric is taken for each and every drug consumer thatwants a prescription filled for a high-risk medication 1022. In theseembodiments the drug dispenser will take a biometric from everyoneasking for a particular set of drugs. This biometric will then beuploaded to the central database where it will be used for an advancedsearch against all other biometrics in the system 1022. A further statusis received and checked 1018 by the drug watchdog. If the status isstill not okay and a biometric is not required 1020 then it is possiblethe biometric reviewed issues or some other error has taken place 1024.The drug consumer is informed, and the exact error is reported throughthe interface to the drug dispenser to pass along to the drug consumer1024. Otherwise if the status is good and the upload is good thedispensing device can be provisioned, and control continues in FIG. 131026.

Turning now to FIG. 11 there is a data flow diagram 1100 of oneembodiment for a drug dispenser to work with the central database toprovision a dosage rule file. Based on FIG. 6 a drug consumer hasarrived at a drug dispenser’s location and is asking for a drug theyhave been prescribed that requires the use of a dispensing device 1102.The drug dispenser is logged into the central database either throughtheir authorized login and password or as authorized by a connecteddispensing device 1102. In this later embodiment the drug dispenser mayhave reused a previously created login and password from previousprovisioning of drug dispensers.

The drug dispenser first determines if the drug consumer has valididentification 1104. In some embodiments the biometric is alwayscollected by the drug prescriber and in those embodiments every drugconsumer is assumed to have insufficient identification or that the drugis so high-risk that it is the safest course of action. In otherembodiments it might be the drug is highly sought after in the openmarket for the illicit drug trade so every person needing it must beprotected. In this embodiment it is possible the drug consumer will havevalid identification and the central database will request a biometricat a later time.

If the drug consumer does not have valid identification 1104 the drugdispenser decides if they can provide a biometric method for findingtheir medication 1106. In some embodiments there could be some drugdispensing locations that cannot provide this service. In someembodiments the drug consumer comes into the drug dispenser’s locationalready knowing they need to use the biometric method and simply tellthe drug dispenser they must be able to support this. If this drugdispenser cannot provide this service, the drug consumer will be turnedaway 1108.

Otherwise if the drug dispenser can provide this service, they willfirst take their name for the first stage lookup 1110. Then they willtake the drug consumer’s biometric from a device that is connected totheir computer 1110. In some embodiments the biometric input devicecould be the dispensing device itself that is being used in aspecialized collect and send biometric only mode. In other embodiments aspecialized biometric reader is used that is fully compatible with thebiometric collector used in the drug prescriber’s location. With thisinformation collected, the drug dispenser can provide this informationto the central database and proceed with the necessary steps 1114. Inother embodiments where the drug watchdog right be running on a drugconsumer cell phone, the biometric will be collected from this deviceand verified.

If the drug consumer has valid identification the drug dispenser takesthis information and talks to the drug consumer to ensure it is the sameinformation provided to the drug prescriber 1112. Through the interfaceto the central database they can now submit the identification collectedand also indicate the type of identification and whether a biometric isalso present 1114. The drug dispenser then requests that an advancedsearch be preformed by the central database’s computers to ensure thedrug consumer can receive this dosage rule file 1114. With thisinformation the central database looks through all dispensing deviceassignments to ensure this drug consumer is okay to receive thisprescription. As discussed, in some embodiments the drug consumer isonly allowed to possess one dispensing device with a given drug withinit. In other embodiments the drug consumer can have two or moredispensing devices that will work in series to dispense drugs. So as onedispenser is depleted of drugs the central database sends a begindeployment command to the next dispensing device in sequence until theyare all depleted.

The first feedback from the lookup checks to see if a biometric isrequired from the drug consumer 1116. In some embodiments the centraldatabase might be requesting a biometric from every single drug consumerwanting this particular drug. There are many other embodiments as to whythe biometric must be provided. In this situation the drug dispensermust have the ability to collect the biometric 1106. If they cannotprovide this service, the drug consumer is turned away 1108.

Otherwise, the biometric is collected and provided to the centraldatabase 1110. With the newly acquired biometric the central databasecan then perform another search with the biometric data included in thesearch and finally approve or not approve the drug consumer 1114.

With the biometric received and confirmed a check is performed to see ifthis is a new dosage file being created 1118. Coming from FIG. 6 thereare logical paths where the drug dispenser was not completing an alreadystarted dosage rule file. If this is a new dosage rule file, anadditional check is made on the status code returned from the advancedcentral database lookup 1120. If the code indicates a problem theprocess is terminated, and the patient does not receive their drugs andare turned away 1122. Even through the biometric was not used to find anexisting dosage rule file, it might have found a drug consumer that istrying to game the system for additional doses of high-risk drugs. Thisembodiment and several others could occur that indicate the drugconsumer is unsuitable to receive a dosage rule file, and the associateddrugs, so they are turned away 1122. As discussed earlier there aresituations where a drug consumer is allowed to have more than onedispensing device with the same drug in it and in other embodimentswhere they are not allowed to use the hot-swap method. This check willhelp ensure rules around using the hot-swap method are followed.

If the status code from the advanced search indicates there is noproblem 1120, the drug dispenser can open the ‘create new’ interface andstart to fill out the fields for the dosage rule file 1124. They willsave the drug consumer’s identification and any biometric that has beenprovided 1124. When all the fields are completed, the dosage rule can bedownloaded which takes place following the logic in FIG. 12 1126.

If the drug dispenser is not starting a new dosage file 1118, they musthave been trying to match an existing dosage rule file. Therefore, thestatus returned from the advanced looking from the central database ischecked 1128. If the status indicates there was a problem, it could bebecause the dosage rule file could not be found 1130. In othersituations the negative indication on the search could indicate there isanother reason the drug consumer is unsuitable 1130. In some cases,between the times that a prescription is created and it is filled, thedrug consumer could have already tried to abuse the system 1130. Therecould be other scenarios where the drug consumer is unsuitable toreceive a dosage rule file, so they are turned away in these cases 1130.

If the drug consumer is okay to receive this dosage rule file, the drugdispenser can optionally connect a dispensing device to their computer1132, if not already connected. In some embodiments the drug dispenserhas already connected the dispensing device to be granted authorizationto login into the central database. In other embodiments the drugdispenser has been granted access via their organizational credentialsfrom a regulating body. In some embodiments the credentials have beengranted through a national or regional e-prescribing service, likePrescribelT™ in Canada. In these embodiments the drug dispenser willfirst retrieve the prescription script from the e-prescribing serverinto an extension to a Pharmacy Management Solution (PMS). Then theywill import these values into the dosage rule file fields on the centraldatabase and complete the final fields 1132.

In other embodiments the owner of the dispensing device has possessionof the device and is working with the central database directly. Inthese embodiments the dispensing device does not have to be connectedand the central database can use the cellular link to reach it. In theseembodiments the drug dispenser is required to enter the dispensingdevice’s identification code to start a verification process that theypossess the device.

The verification process for the drug dispenser involves confirming theyare in possession of the dispensing device. This is performed byconfirming a change of state sent from the central database to thedispensing device. This change could be the illumination of LED lights,some auditory sounds or a display of numbers and letters. Once confirmedthe drug dispenser will be able to continue filling out the dosage rulefile 1132 until all fields are satisfied.

With the device identified by the central database the prescription filecan be downloaded to the drug watchdog program running on the identifieddispensing device. FIG. 12 shows the logic involved in downloading nowthat the dispensing device is identified and the drug consumer isapproved for the dosage rule file 1136.

Turning to FIG. 12 is a data flow diagram 1200 of one embodiment for theprocess to download a created dosage rule file from a central databaseto a dispensing device. Based on the steps from FIG. 11 the centraldatabase will do a final confirmation that a dispensing device isconnected or reachable through some communication means 1202.

As mentioned in some embodiments a connection is not required to thedrug dispenser’s computer 1202. In some embodiments this datacommunication connection between the central database and the dispensingdevice could be facilitated by an Internet browser, an Internet browsersoftware add-on or extension. In other embodiments a custom piece ofsoftware is used by the drug dispenser to facilitate a connectionbetween the central database and the dispensing device.

The central database has details on each dispensing device and knows ifthe dispensing device supports cellular communications. If thedispensing device does support a cellular data communication link, thecentral database will confirm a cellular link has been made. One exampleUI for the drug dispenser is shown in FIG. 6 . In some embodiments thedrug dispenser will work with an external wand or cell phone type devicethat will be running the drug watchdog. In these embodiments the centraldatabase will establish a secure connection with this device after ithas been properly configured to work for this given drug consumer 1204.

Once both connection methods have been checked the central database canthen confirms that at least one link has been established with the drugwatchdog either on the drug dispensing equipment 1204 or on a separatecomputer system. For example, in the embodiment where the drugdispensers is using the dispensing device as authorization for the loginto the central database, it must be connected. In those embodimentswhere the cellular link can be used exclusively, a check is made that atleast a cellular connection has been achieved 1204. In some embodimentsboth a connection through the drug dispenser’s computer and a cellularconnection could used to complement each other. In this embodiment thecentral database would have the discretionary choice as to which linkthey used based on coverage, the quality and speed of the link, securityissues and other factors.

If the required link is not present, then the error is displayed to thedrug dispenser over their interface 1206. The drug dispenser will begiven the choice to attach another dispensing device 1206 or abandon theeffort or try again. In some embodiments it could be a cellular coverageand signal issue. The drug dispenser is informed that the dispensingdevice cannot be reach and it is up to them to determine if coverage isan issue. In some embodiments the central database might be capable ofdisplaying the current RF signal strength to the drug dispenser.

If they do attach another dispensing device, they enter the dispensingdevice Id and return to the connection step 1202. With one or both aphysical connection and cellular connection created, the dispensingdevice can confirm it has an establish a secure communication path fordata communications. In some embodiments it must create or use apre-loaded encryption key 1208. In other embodiments a securecommunications path can be established with the telecommunicationsnetwork being used, for example like an SSL connection over a cellularand Internet combined connection using both a client and a servercertificate.

In some embodiments a secure link is not possible, and every messagewill be encrypted for maximum security. In some embodiments thedispensing device was manufactured and preloaded with the necessaryencryption keys from the central database. For example, using public andprivate cryptography every dispensing device is manufactured with aprivate key and the matching public key has been provided to the centraldatabase.

In other embodiments an encryption key is created using a seed value,like the dispensing device identification. Different encryption methodsfor creating a shared encryption key can be used with the encryption keyavailable. Over the secure communications path the dispensing deviceprovides its identification and its status information to the centraldatabase for verification 1210.

The verification step will look at the current status of the dispensingdevice and check message exchanges to confirm whether any serious errormessages have been received 1210. For example, in some embodiments thedispensing device’s identification could be unknown. Perhaps this is arogue or illegal dispensing device that someone is trying to use. Insome embodiments the dispensing device could have battery issues. Inother embodiments the dispensing device could have software ormechanical issues and needs to be retired 1210. In this situation thedrug dispenser is told to attach another dispensing device 1212 andprovide the new identification to the central database. The process thenreturns to step 1202 to allow another dispensing device to be tried.

If the dispensing device is suitable then the central database doesfurther checks on additional details about what has been happeningduring its last dosage rule file usage 1214. It might indicate an issuebetween the drug consumer’s consumption profile with previously loadeddrugs within the dispensing device itself. The dispensing device mighthave a deeper software issue or an issue with the drug dispenser’slocation. This deeper status issue could indicate the reception of oneor more error messages that suggest an attempt to break into thedispensing device or that the dispensing device has been compromised insome way that isn’t immediately visible 1214.

If there is a problem a further check is made to see if there is adispensing device specific issue 1216. If there is a dispensing devicespecific issue, the drug dispenser is told to attach another dispensingdevice 1212. Another dispensing device is attached, then theidentification is provided to the central database 1212 so it can gothrough the same process at step 1202. Otherwise if the drug consumerhas been abusing the device or abusing the system and the drug dispenseris informed 1218. The drug dispenser can take the dispensing device andturn away the drug consumer 1218.

If the dispensing device’s deeper status is okay, then the dosage rulefile is downloaded 1220 using the communications medium best suited andchosen by the central database. Any other important and privateinformation is also downloaded into the system at this time as well.This information could relate to operational behaviour, movement statusinformation, behaviours to watch out for related to location and drugconsumption issues. Finally, the drug dispenser is ready for finalprovisioning and normal operation; the process continues in FIG. 131222.

Turning now to FIG. 13 there is a data flow diagram 1300 of oneembodiment that illustrates steps in the first steps of the provisioningstage for a dispensing device. With the dosage rule file built, eitheron the dispensing device direction or on the central database, it can beexchanged and verified.

In those embodiments where the dispensing device builds the dosage rulefile, the provisioning stage can begin once it is uploaded, asillustrated in FIG. 10 . Alternatively, the drug dispenser as built thedosage rule file on the central database and it is downloaded to thedispensing machine, can the provisioning stage start. This isillustrated in FIGS. 11 and 12 .

With the central database and the dispensing device have exchanged thedosage rule file, the central database sends a command to commence theprovisioning stage 1302. Additionally, the drug dispensing is given thedetails of the dosage rule file and if they are logged into the centraldatabase will have additional options. In some embodiments they will begiven the ability to customize a printout for the drug consumer. In someembodiments they can also print out a label to affix to the dispensingdevice similar to a pill bottle. With the dosage rule file safelydownloaded to the drug watchdog on the dispensing device the drugdispenser is given access to the dispensing device’s main holding area1302. In one embodiment the software releases an internal latch or lockand a larger door can be opened. In another embodiment a specialized keycan be used to unlock the dispensing device to load in the drugs at thistime.

With the dispensing device open the drug dispenser can look into thedispensing device to see if there are any visual problems 1304. Thereare many possible expected and unexpected issues that could be seen oncethe dispensing device is open 1306. The drug dispenser decides if thedispensing device should be terminated and retired 1306. In oneembodiment the dispensing device might have gotten wet or it has beensubmerged in water for a period of time, for example caught in the rain.There is also a chance mould or mildew has developed in the device, orthe mechanism appears broken. If these obvious major problems are notseen, then it is possible the dispensing device is not empty; this couldbe expected or unexpected. If it is expected the drug dispenser might besimply topping-up the number of drugs in the dispensing device 1318.

In other situations it might be unexpected to find drugs in the maincompartment 1318. In this case the drug might have to be removed andreturned to the manufacturer for destruction. In some embodiments thedispensing device must be cleaned, which could involve sterilization orwiping the unit with a sterile implement. In these embodiments eachdispensing device must be physically sterilized before new drugs can beinserted into the device. In some embodiments a disposable piece thathad previous held drugs is thrown out and a new drug holding componentis added to keep each load of drugs from cross-contaminating each other.

With the unit cleaned, sterilized and ready for loading, the drugs areremoved or topped-up within the dispensing device and the maincompartment is closed 1320. There are several ways drugs could beinserted into the device. In some embodiments each drug is encoded witha bar code, a Q-code or some form of indicator. Each time a drug isinserted into the device the bar code is read and is confirmed againstthe expected drug indicated in the dosage rule file.

In other embodiments the drugs are inserted into a separate containerthat confirms the types of drugs inserted before being placed into thelarger dispensing device. In some embodiments to facilitate a sterileenvironment, each drug is separately wrapped in some form of removablecovering which is also bar coded in some fashion. In some embodiments alow-frequency RFID tag could also be included that would be detected andread by the dispensing device once inserted. As each pill is placed intothe dispensing device the covering is scanned to confirm the drugmatches exactly what is listed in the dosage rule file.

Alternatively, if the dispensing device has a serious problem and theuser has logged into the central database 1308 then can update thecentral database about this broken unit, retire the dispensing deviceand start the process over 1310. Since the drug dispensing is loggedonto the central database, they can enter the details into the centraldatabase’s interface 1310. In some embodiments there could be apick-list of choices to help narrow down the specific issue the drugdispenser is seeing. In other embodiments the drug dispenser will simplydecide about whether the dispensing device or drug consumer is thesource of the problem. This will mean returning to FIG. 11 andconnecting a new device 1312. If the drug dispenser is not logged intothe central database they can create an authorized login directlythrough the dispensing device. They can write-down the number of thedispensing device that has the serious problem, retire the device andconnect another dispensing device 1314. In this case they must startover on FIG. 10 1316.

If there are no visual inspection problems revealed 1304, then the drugdispenser can proceed to place the prescribed drugs into the dispensingdevice 1320. Once the dispensing device has receive the correct amountof drugs, the larger door on the dispensing device is closed and theunit is ready for performing the final provisioning step.

The last step in provisioning of the dispensing device requires the drugconsumer to provide their bio-identity with the dispensing device. Insome embodiments, this can be a one-step process that collects thebiometric information for confirming every drug dose to be taken. Inother embodiments, it involves a biometric and a biomedical input. Thereare several embodiments that are possible with the dispensing deviceonce it is loaded with drugs. The first step is to determine if thedispensing device is leaving the premise to reach the drug consumer1322. If it is not leaving this implies the drug consumer is present andcan provide their bio-identity. In this case the data flow moves to FIG.14 a 1324.

In some embodiments the dispensing device will be delivered by bondedcourier, drug delivery agent or hand-carried in some fashion to the drugconsumer 1326. This could be an elderly patient, it could be a personwho is extremely sick, it could be someone who is self-isolating due toa communicable disease or a worry about spreading a pandemic virus.Whatever the case, the dispensing device has no issues with staying in apartially completed provisioning stage waiting for the bio-identityinput 1326.

To ensure that there is no mis-step in collecting the bio-identity thecentral database sets a trigger to ensure the bio-identity is providedin a timely fashion 1328. The trigger could be a timer causes anotification email message to be sent to the drug dispenser, or it couldresult in an SMS message being sent to a drug dispenser’s cell phone.With the trigger set, the data flow moves to FIG. 14 b 1330.

Turning now to FIG. 14 there is a data flow diagram 1400 of oneembodiment that illustrates steps for finishing provisioning andentering the deployment phase for a dispensing device. Data flow fromFIG. 13 arrives into FIG. 14 in two forms. First in action labelled FIG.14 a , there have been triggers set within the central database and theycould either be terminated because a bio-identity has been received, orthey have expired 1402. If they have expired, perhaps several hours or aday has passed, an alert is sent to the drug dispenser 1404. The drugdispenser is encouraged to contact the drug consumer and they arereminded to provide a bio-identity 1404. If they are an elderly patient,perhaps the drug dispenser provides them with guidance on how to performthis action 1404. Then an additional trigger is set in the centraldatabase to ensure the bio-identity is received 1406.

Second in action labelled FIG. 14 b the drug consumer establishes theirbio-identity with the dispensing device 1408. This is detected at thecentral database as the dispensing device sends a message indicating ithas entered full provisioned stage 1408. In this case any triggers areterminated related to this dispensing device 1408. If the drug consumerwas physically present beside the drug dispenser it is likely notriggers had to be set and so they were not needed.

When collecting the biometric part of the bio-identity there are severalembodiments. In some embodiments, part of this step may have alreadybeen performed when a biometric was collected from the drug consumer. Inother embodiments the biometric has been downloaded with the dosage rulefile from the dispensing device when it is provided to the drugprescriber. However, in this step the bio-identity goes directly intothe memory of the dispensing device for daily use each time the drugconsumer wishes to extract another dose of drugs.

In some embodiments the dispensing device might also encrypt thisbiometric to ensure it is not compromised, stolen or damaged in someway. In other embodiments the biometric will use a secure enclave methodfor storing and matching the biometric. The enclave method turns thebiometric, like a fingerprint or heart rhythm into an algorithm that isuploaded into the dispensing device or created by the dispensing device.In this embodiment the biometric itself is not stored on the dispensingdevice, just an algorithm that is created by the biometric. When thisalgorithm is executed with input from a newly acquired biometric itproduces a match or no match answer. This is a method that can be usedby smartphones and small devices with limited computing resources and ahigh need for security.

The provisioning of the full bio-identity may include one or more stepsinvolving biomedical data collection and upload to the central database.The drug dispensing might have to collect blood analysis results,urinalysis results, EKG, EEG, saliva testing results, photographicidentification and a wide range of combinations of these inputs. In anexample the drug consumer can use a urine test strip and take aphotograph and upload this to the central database. The data can act asa baseline for further photographs to see the effects of the drugs onthe drug consumer’s body. Further embodiments of this biometrical stephave been described earlier in this patent.

In some embodiments the bio-identity is then shared with the centraldatabase and the drug dispenser’s interface shows acceptance of thebio-identity 1416. In other embodiments the bio-identify is maintainedonly on the dispensing device and a confirmation message thatprovisioning steps are complete is sent. This message then shows thatthe dispensing device 1416. In some embodiments the interface will allowone or two additional trial runs of the bio-identity to ensure it isworking consistently.

With the successfully provisioning of the bio-identity the dispensingdevice has completed the provisioning steps and enters full provisionedstage. When this is communicated to the central database it allows thecentral database to decide when to begin the deployment stage. In someembodiments this happens immediately after the provisioned stage isreached. For example, if the drug consumer has only one dispensingdevice with this drug assigned to them the central database can decidedto auto-deploy immediately. In other embodiments the drug dispenserwould like control over when deployment takes place even with only onedispensing device deployed. For example, if the dispensing device mustbe couriered to the drug consumer’s home.

With the bio-identity received a check is made to see if the drugdispenser is connected via the UI to the central database 1410. If thedrug dispenser is actively working with a drug consumer in the samephysical space, they might still be sitting at their screen watching allthe final steps to confirm everything is flowing smoothly 1410. If theyhad the dispensing device delivered however they are probably notconnected. In this case an alert is sent to the drug dispenser toindicate the status change in a dispensing device that has now beenfully provisioned 1412. The drug dispenser can then optionally connectto the central database to ensure the dispensing device entersdeployment stage correctly 1414. Naturally over time the drug dispenserwill trust the operation of the central database as it follows specificlogic and knows precisely when to deploy one or more dispensing deviceswhen sent to the same patient using the hot-swap, continuous drug supplymethod.

If the drug dispenser connects display the status change to theinterface 1416. Another logic is made to confirm whether the drugconsumer is present beside the drug dispenser in their office 1418. Ifthey are present the drug dispenser can decide whether they are allowedto take the dispensing device home or not 1420. Depending on thesituation, the drug dispenser must decide if it is reasonable for thedrug consumer to take the dispensing device home 1420. In someembodiments the drug consumer is homeless or untrustworthy and so thedispensing device will have to stay on the premise of the drug dispenser1420. In other embodiments the dispensing device can be taken home bythe drug consumer 1420.

When the central database receives the fully provisioned message fromthe dispensing device there are several embodiments as to how and whenthe dispensing device is commanded to enter the deployment stage 1422.In one embodiment the central database will auto-deploy the dispensingdevice. This could happen if this is the only or first dispensing devicegiven to a drug consumer. Since there are no other dispensing devices itis safe for this dispensing device to start operating immediately 1422.

In another embodiment the drug dispenser might want to have some say inwhen the begin deployment command is sent 1422. In some central databasedesign options there could be an override to allow the drug dispenser todecide when deployment starts 1422. This might be useful for a high-riskdrug consumer or someone that is a flight risk.

In another embodiment the drug dispenser has little to no control overdeployment but can issue a stop deployment to an earlier dispensingdevice in the field 1422. This might be necessary if a first dispensingdevice is exhibiting issues and problems and must be stopped. Once thefirst dispensing device has received the stop deployment the seconddispensing device will be sent a begin deployment command. In situationswhere multiple dispensing devices have been given to the same drugconsumer with the same drug it is the central database that tracksprecisely when to issue the begin deployment command 1422. It will onlyallow one dispensing device to be in active deployment at a given time.Only when the currently deployed dispensing device runs out of drugswill the next dispensing device be deployed 1422.

After receiving a begin deployment command, the dispensing device is inthe deployment stage and begins its normal course of operation 1424. Itfollows the guidelines of the dosage rule file and allows the singledose drug dispenser to open every time the prescription indicates a doseis allowed and the biometric input is provided 1424. In some embodimentswhen cellular support is present in the dispensing device, messages willbe sent providing full tracking information to the central database.There are many embodiments for the type of tracking informationavailable to the central database and it will be closely related to thefunctionality of the dispensing device.

In some embodiments there can be messages indicating when drugs wereextracted by the drug consumer, related to when they were allowed. Insome embodiments where the dispensing device supports GPS 1426, therecould be information about the location of the device and where ittravels. In some embodiments there could be warning or alert messages ifthe drug consumer misses their dosage for more than a specified lengthof time past the dosage time. There could also be messages indicatingthat forced entry has been attempted or achieved on the dispensingdevice.

In some embodiments the dispensing device might offer a physical displayfor the drug consumer. In other embodiments the dispensing device mighthave a set of LED lights 1426 or auditable output options 1426. In otherembodiments one or more messages can be sent to the drug consumer usingconfigured information to inform them of the state change within thedispensing device.

These and other embodiments are possible for the dispensing devicedepending on the goals of the solution. In some embodiments biomedicaldata must be collected during the deployment phase of the dispensingdevice. In these embodiments further advanced functions for thedispensing device are possible 1426. In some embodiments the drugconsumer has a wearable device to monitor drug consumption. This couldbe a watch, ring, bracelet, band around the stomach or a belt devicecapable of picking up a signal when a drug has been consumed anddigested. The use of specialized chemical compounds to achieve such drugconsumption monitoring are already in use as was discussed earlier. Insome embodiments, input through USB, Bluetooth, NFC or some othercommunications method allows the dispensing device to receive heart rateresults, blood testing analysis, urinalysis results or other biomedicaldata. There could also be embodiments involving GPS coordinates andproviding location information back to the central database 1426.

In other embodiments there is a camera that can take a photograph orvideo of the drug consumer when they take the pill from the extractionarea. There are embodiments where a combination of steps are needed tofulfill the biomedical requirements during the deployment phase. Forexample, the drug consumer might have to photograph urine test stripsthat have been dipped and show the results of the consumed drugs taken.These photographs must then be uploaded to the dispensing device or thecentral database directly for a health care professional to review andapprove the continued use of the drug. These and many other embodimentscould enhance the operation of the dispensing device 1426.

Different methods and systems are described to provide different exampleconfigurations. The methods are computer implemented methods usinghardware processors, secure communication channels, and non-transitorymemory.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The method caninvolve, at a central database, authorizing a login by matchingcredentials of the user against a database of authorized users andreceiving dispensing device identification for the dispensing device;modifying or creating a dosage rule file based on input from theauthorized user, the dosage rule file encoding at least drug consumptioninformation, identification of the drug consumer, and additionalauthorized users for this dispensing device; identifying a destinationdispensing device to receive the dosage rule file by a processing thataccesses the dispensing device identification provided by the authorizedlogin; establishing a secure communication link to encrypt messagesexchanged with the dispensing device with encryption keys to confirm theidentification information of the dispensing device; downloading, usingthe secure link, the dosage rule file to provision of the dispensingdevice, executing the dosage rule file to configure the drug watchdogprogram to: open a compartment of the dispensing device to receive drugsmatching the drug consumption information in the dosage rule file;detect the closure of the compartment to indicate the drug provisioningof the dispensing device; successfully provision a bio-identity inputand send a provisioned stage reached message to the central database toprogram the processor to a provisioned stage; receive a begin deploymentcommand from the central database to program the processor to adeployment stage of the dispensing device; activate timers upondeployment on the dispensing device to control release of the drugscontained in the compartment for the drug consumer; encrypt messagesusing the encryption keys; send the encrypted drug consumption messagesfor viewing by all authorized users to the central database uponexpiration of at least one of the timers.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The method caninvolve at a central database, authorizing a login by matching thecredentials of the user against a database of authorized users andreceiving dispensing device identification; generating a dosage rulefile encoding at least identification of a drug consumer, drugconsumption information and additional authorized users for thisdispensing device; identifying a destination dispensing device toreceive the dosage rule file through the dispensing deviceidentification provided by the authorized login; establishing anencrypted communication channel with the dispensing device to confirmthe identity of the dispensing device; downloading, using the encryptioncommunications channel, the dosage rule file to enable provisioning ofthe dispensing device; executing the dosage rule file to configure thedrug watchdog program to: open a compartment of the dispensing device toallow drugs to be inserted matching the drug consumption information inthe dosage rule file; detect the closure of the compartment to indicatethe drug provisioning of the dispensing device; successfully provision abio-identity input from drug consumer and send a confirmation message toenter a provisioned stage; receive a begin deployment command thatcommences the deployment stage of the dispensing device; activate timersupon deployment on the dispensing device to allow the controlled releaseof the drugs contained in the compartment for the drug consumer; andsend drug consumption messages for viewing by all authorized users,using the encrypted communication channel, to the central database uponexpiration of at least one of the timers.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The methodinvolves, at a central database, creating an authorized user byverifying a dispensing device coupled to the user’s computer andgenerating a login communication session; generating a completed dosagerule file containing at least identification of a drug consumer, drugconsumption information and additional authorized users for thisdispensing device; identifying a destination dispensing device toreceive the completed dosage rule file using dispensing deviceidentification provided by using the login communication session; usingthe dispensing device identification to select encryption keys to beused to encrypt messages exchanged with the dispensing device;downloading, using the selected encryption keys, the dosage rule file toenable the provisioning of dispensing device; executing the dosage rulefile to configure the drug watchdog program to: open a compartment ofthe dispensing equipment to allow drugs to be inserted matching the drugconsumption information in the dosage rule file; detect the closure ofthe compartment to indicate the drug provisioning of the dispensingdevice; successfully provision a bio-identity input from drug consumerand sending a confirmation message to the central database to enter aprovisioned stage of the dispensing device; receive a begin deploymentcommand from the central database that commences the deployment stage ofthe dispensing device; activate timers upon deployment on the dispensingdevice to allow the controlled release of the drugs contained in thecompartment for the drug consumer; and send drug consumption messagesfor viewing by all authorized users, using the selected encryption keys,to the central database upon expiration of the timer.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The methodinvolves: at dispensing device with a drug watchdog program, detecting aconnection from a selected dispensing device to a user’s computersystem; permitting a login by the user to create an authorized drugdispenser; providing an interface through the connection to receiveinput from the authorized drug dispenser to generate a completed dosagerule file, containing at least the drug consumer’s identity, drugconsumption information and additional authorized users for thisdispensing device, on the connected dispensing device; initiating aseparate connection to the central database when the authorized drugdispenser has finished the completed dosage file; using the separateconnection to provide the selected dispensing device’s identification inorder to select encryption keys to be used to encrypt messages exchangedbetween the dispensing device and the central database; exchanging thecompleted dosage rule file with the central database to enable theprovisioning of the dispensing device; executing the dosage rule file toconfigure the drug watchdog program to: open a compartment of thedispensing device to allow drugs to be inserted matching the drugconsumption information in the dosage rule file; detect the closure ofthe compartment to indicate the drug provisioning of the dispensingdevice; successfully provision a bio-identity input from drug consumerand sending a confirmation message to the central database to enter aprovisioned stage of the dispensing device; receive a begin deploymentcommand from the central database that commences the deployment stage ofthe dispensing device; activate timers upon deployment on the dispensingdevice to allow the controlled release of the drugs contained in thecompartment; and send drug consumption messages for viewing by allauthorized users, using the selected encryption keys to the centraldatabase when the timer expires.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The methodinvolves: at a drug watchdog program, detecting a connection from aselected dispensing device to a user’s computer system; authorizing theuser as an authorized drug dispenser, by accepting a login at a centraldatabase upon confirmation of the identification information of theconnected dispensing device; providing, to the authorized drugdispenser, an interface on the central computer in order to generate acompleted dosage rule file containing at least the drug consumer’sidentity, drug consumption information and additional authorized usersfor this dispensing device; detecting the finishing of the completeddosage rule file and using the selected dispensing device’sidentification received from the dispensing device through itsconnection to the user’s computer, to create an secure channel toencrypt all messages exchanged between the dispensing device and thecentral database; exchanging the completed dosage rule file with thecentral database to enable the provisioning of the dispensing device;executing the dosage rule file to configure the drug watchdog programto: open a compartment of the dispensing device to allow drugs to beinserted matching the drug consumption information in the dosage rulefile; detect the closure of the compartment to indicate the drugprovisioning of the dispensing device; successfully provision abio-identity input from drug consumer and sending a confirmation messageto the central database to enter a provisioned stage of the dispensingdevice; receive a begin deployment command from the central databasethat commences the deployment stage of the dispensing device; activatetimers upon deployment on the dispensing device to allow the controlledrelease of the drugs contained in the compartment; and send drugconsumption messages for viewing by all authorized users, using theselected encryption keys to the central database when the timer expires.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file between a central database anda drug watchdog program running on a dispensing device. The methodinvolves: at a drug watchdog program, establishing a secure cellulardata communication path with a central database by using the dispensingdevice’s identification to select encryption keys; receiving anindication from the central database over the secure communication paththat a completed dosage rule file, containing at least the drugconsumer’s identity, drug consumption information and additionalauthorized users for this dispensing device, is ready for download, thecompleted dosage rule file encrypted using encryption keys linked to thedispensing device identification; verifying that at least one authorizeduser is in possession of the identified dispensing device by changingthe state of the dispensing device and requiring the authorized user toverify that state; exchanging the completed dosage rule file with thecentral database when the authorized user is verified, to enable theprovisioning of the dispensing device; at the dispensing device,executing the dosage rule file to configure the drug watchdog programto: open a compartment of the dispensing device to allow drugs to beinserted matching the drug consumption information in the dosage rulefile; detect the closure of the compartment to indicate the drugprovisioning of the dispensing device; successfully provision abio-identity input from drug consumer and sending a confirmation messageto the central database to end a provisioned stage of the dispensingdevice; receive a begin deployment command from the central databasethat commences the deployment stage of the dispensing device; activatetimers upon deployment on the dispensing device to allow the controlledrelease of the drugs contained in the compartment; and send drugconsumption messages and alert messages for viewing by all authorizedusers, using the selected encryption keys to the central database whenthe timer expires.

In an aspect, embodiments can provide a method of creating, modifying,executing and tracking a dosage rule file by an authorized drugdispenser using one or more databases and a drug watchdog programrunning on a dispensing device. The method involves: authorizing a loginby matching the credentials of the user against a prescription databaseof authorized users to create an authorized drug dispenser; searching bythe authorized drug dispenser for prescription information on aprescription database linked to a drug consumer’s identity; creating adosage rule file from the prescription information that can bedownloaded to the dispensing device; establishing a secure datacommunication path between a central database used for managingdispensing devices, by using identification of the dispensing device toselect encryption keys; exchanging with the central database over thesecure communication path the dosage rule file storing at least the drugconsumer’s identity, drug consumption information and additionalauthorized users for the dispensing device, the dosage rule fileencrypted using encryption keys linked to the dispensing deviceidentification; executing the dosage rule file to configure the drugwatchdog program to: open a compartment of the dispensing device toallow drugs to be inserted matching the drug consumption information inthe dosage rule file; detect the closure of the compartment to indicatethe drug provisioning of the dispensing device; successfully provision abio-identity input from the drug consumer and sending a confirmationmessage to the central database to enter a provisioned stage; receive abegin deployment command from the central database that commences thedeployment stage; activate timers upon deployment on the dispensingdevice to allow the controlled release of the drugs contained in thecompartment; and send drug consumption messages and alert messages forviewing by all authorized users, using the selected encryption keys tothe central database when the timer expires.

In some embodiments, the change of state involves the illumination ofLED lights on the dispensing device following a pattern sent from thecentral database. In some embodiments, the change of state involves thedisplay of a series of letters, numbers or symbols on a display providedby the dispensing device following a pattern sent from the centraldatabase.

In some embodiments, the prescription database is a e-prescribingservice established for a national registry of patient prescriptionservices.

In some embodiments, the completing of the steps to create a dosage rulefile involves moving the prescription information from the prescriptiondatabase to the central database that is used for managing dispensingdevices.

In some embodiments, the provisioning of a bio-identity involves the useof a biometric input that is also used during the deployment phase toconfirm the drug consumer’s identity for the removal of the regular doseof drug following the guidelines in the dosage rule file.

In some embodiments, the provisioning of the bio-identity involves theinput of one or more biomedical inputs selected from any of bloodanalysis results, urinalysis results, heart rate information, EKGinformation, EEG information, saliva analysis results, photographicimages of the drug consumer and photographic images of analysis results.

In some embodiments, the provisioning of biomedical information to enterthe deployment stage is repeated at various configured intervals duringthe deployment phase to ensure the continued dispensing of regular drugdoses.

In some embodiments, during the deployment stage additional biomedicalinput is required at various configured stages to ensure the continueddispensing of regular drug doses. Biomedical inputs can include one ormore of blood analysis results, urinalysis results, heart rateinformation, EKG information, EEG information, saliva analysis results,photographic images of the drug consumer, photographic images ofanalysis results and drug consumption feedback from drug digestionmonitors.

In some embodiments, the creating of the dosage rule file allows thedefinition of additional authorized users to access informationexchanged with the chosen dispensing device.

In some embodiments, the accessing of information exchanged by allauthorized users further includes the ability for one or more of theauthorized users to modify the dosage rule file.

In some embodiments, the dosage rule file changes it will be downloadedto the dispensing device to replace the existing dosage rule file,leading to an updated execution of the dosage rule file by the drugwatchdog program.

In some embodiments, the change of state involves the playing of aseries of sounds on the dispensing device following a pattern sent fromthe central database.

In some embodiments, activation of timers to allow the release of drugsalso includes the addition of auditory sounds when drug dose timersexpire.

In some embodiments, the opening of the compartment requires aconfirming status message from the central database informing the drugwatchdog to perform an unlock procedure.

In some embodiments, the expiration of the activated drug dose timers toallow the release of a drug dose, also includes one or more indicationsincluding modifying the display of LED lights, displaying a message on ascreen, the playing of auditory sounds and the sending one or moremessage to the drug consumer using a configured communication method.

In some embodiments, an alert message from the dispensing device goingto the central database can also be relayed from the central database tothe drug consumer using one or more configured communication methods. Insome embodiments, an alert message within the dispensing device can besent directly to the drug consumer’s computer device using one or moreconfigured communication methods.

In some embodiments, the insertion of drugs matching the drugconsumption information takes places using a drug detection means thatidentifies each drug that is inserted into the dispensing device.

In some embodiments, receiving biometric input to the dispensing deviceto confirm removal of the drugs. In some embodiments, detecting aconnection to a user’s computer system involves receiving and completinga Universal Serial Bus (USB) handshaking protocol. In some embodiments,detecting a connection to a user’s computer system involves receivingand completing the Bluetooth pairing protocol. In some embodiments, theopening of the compartment requires a confirming status message from thecentral database inform the drug watchdog to perform an unlockprocedure.

In some embodiments, the viewing of messages by all authorized usersfurther includes the ability for one of the authorized users to modifythe dosage rule file.

In some embodiments, activation of timers to allow the release of drugsalso includes the addition of auditory sounds when drug dose timersexpire. In some embodiments, activation of timers to allow the releaseof drugs also includes LED light illuminations when drug dose timersexpire. In some embodiments, the central database allows multipledispensing devices to be in a provisioned stage and sends a begindeployment command to only one dispensing device assigned to the samedrug consumer at a time.

In some embodiments, when the central database detects that a deployeddispensing device has run out of drugs it sends a begin deploymentcommand to the next provisioned dispensing device for the same drugconsumer.

In an aspect, embodiments can provide a system for creating, modifying,executing and tracking a dosage rule file. The system can involve acentral database to generate and provide a completed dosage rule file,containing at least a drug consumer’s identity, drug consumptioninformation and authorized users for a dispensing device, the completeddosage rule file encrypted using encryption keys linked to thedispensing device identification; a drug watchdog program running on thedispensing device, the drug watchdog program having instructions to:establish a secure cellular data communication path with the centraldatabase by using the dispensing device’s identification to create anencrypted channel; verify that at least one authorized user is inpossession of the identified dispensing device by changing the state ofthe dispensing device and requiring the authorized user to verify thatstate; receive an indication from the central database within thereceived status message over the secure communication path that thecompleted dosage rule file is ready for download after the authorizeduser is verified; exchange the completed dosage rule file with thecentral database to enable the provisioning of the dispensing device;wherein the completed dosage rule file executes to: open a compartmentof the dispensing device to allow drugs to be inserted matching the drugconsumption information in the dosage rule file; detect the closure ofthe compartment to indicate the drug provisioning of the dispensingdevice; successfully provision a biometric input from drug consumer andsending a confirmation message to the central database to enter aprovisioned stage of the dispensing device; receive a begin deploymentcommand from the central database that commences the deployment stage ofthe dispensing device; activate timers upon deployment on the dispensingdevice to allow the controlled release of the drugs contained in thecompartment; and send drug consumption messages for viewing by allauthorized users, using the selected encryption keys to the centraldatabase when the timer expires.

In some embodiments, the change of state involves the illumination ofLED lights on the dispensing device following a pattern sent from thecentral database.

In some embodiments, the change of state involves the playing of aseries of sounds on the dispensing device following a pattern sent fromthe central database.

In some embodiments, the change of state involves the display of aseries of letters, numbers or symbols on a display provided by thedispensing device following a pattern sent from the central database.

In some embodiments, the drug watchdog program receives biometric inputat the dispensing device to confirm removal of the drugs.

In some embodiments, the drug watchdog program detects a connection to auser’s computer system by receiving and completing a Universal SerialBus (USB) handshaking protocol. In some embodiments, the drug watchdogprogram detects a connection to a user’s computer system involvesreceiving and completing the Bluetooth pairing protocol. In someembodiments, the completed dosage rule file executes to detect theopening of the compartment by receiving a confirming status message fromthe central database to perform an unlock procedure. In someembodiments, the messages provides for the ability for one of theauthorized users to modify the dosage rule file. In some embodiments,the dosage rule file changes it will be downloaded to the dispensingdevice to replace the existing dosage rule file.

In some embodiments, activation of timers to allow the release of drugsalso includes the addition of auditory sounds when drug dose timersexpire. In some embodiments, activation of timers to allow the releaseof drugs also includes LED light illuminations when drug dose timersexpire. In some embodiments, the insertion of drugs matching the drugconsumption information takes places using a drug detection means thatidentifies each drug that is inserted into the dispensing device.

In an aspect, embodiments can provide a method of controlling andtracking a dosage rule file between a central database and a drugwatchdog program running on a dispensing device. The method can involve,at a central database, authorizing a login by verifying user login data;creating a dosage rule file containing at least drug consumptioninformation and additional authorized users for this dispensing device;displaying tracking information from the dispensing device for theadditional authorized users; initiating a secure link between thecentral database and the drug watchdog program by creating and using ashared encryption key; downloading, over the secure link, the dosagerule file and other messages related to operation of the dispensingdevice; executing the dosage rule file to configure the drug watchdogprogram to: open a compartment of the dispensing device using a lock toallow drugs to be inserted into the main compartment; detect the closureof the compartment using the lock and allowing a controlled release ofthe drugs contained in the compartment; and send feedback messages tothe central database of activities detected on the dispensing device.

In an aspect, embodiments can provide a method of controlling andtracking a dosage rule file between a central database and a drugwatchdog program running on a dispensing device. The method involves: ata drug watchdog program, detecting a connection to a drug dispenser’scomputer; verifying a login by a drug dispenser’s to permit access tothe dispensing device; using an interface to generate a dosage rulefile; initiating a secure link between the drug watchdog program and thecentral database by creating and using a shared encryption key;uploading to the central database over the secure link the dosage rulefile and other messages related to operation of the dispensing device;executing the dosage rule file to configure the drug watchdog programto: open a compartment of the dispensing device using a lock to allowdrugs to be inserted into the main compartment; detect the closure ofthe compartment through the lock and allowing release of the drugscontained in the compartment using an ejector; and send feedbackmessages to the central database of activities detected on thedispensing device.

In some embodiments, authorizing the login involves authenticating usinga connection to an authenticated dispensing device.

In some embodiments, authorizing the login involves matching logininformation to data received from one or more governing body ofprofessionals and government organizations.

In some embodiments, the drug consumption information includes thenumber of drugs to be inserted into the dispensing device.

In some embodiments, an additional authorized user can also have thedosage rule file updated and downloaded to the dispensing device.

In an aspect, embodiments can provide a method of controlling andtracking a dispensing device for delivery of prescription drugs for adrug consumer using a dosage rule file for configuring a drug watchdogprogram to control the dispensing device. The method involves:generating a login procedure to establish an authorized drug prescriberand an authorized drug dispenser by matching credentials for authorizeddrug prescriber and the authorized drug dispenser to data encoding drugprescribers and drug dispensers; generating the dosage rule file for thedrug consumer containing at least drug consumption information based oninput from an authorized drug prescriber and identification informationreceived from a drug consumer; receiving a request from an authorizeddrug dispenser to match a drug consumer’s identification information tothe identification information in the dosage rule file; authenticatingat a central database an attached dispensing device with one or moremessages exchanged with a drug watchdog program running within thedispensing device; downloading, using one or more of the messages, thedosage rule file to the dispensing device for use by the drug watchdogprogram; executing the dosage rule file to configure the drug watchdogprogram to: block all attempts by other programs running on thedispensing device to perform file commands on the dosage rule file; usethe drug consumption information within the dosage rule file to time therelease of drugs contained within the dispensing device through a drugejector; and provide feedback messages of all activities that take placeat the dispensing device to the central database.

In some embodiments, the authorized drug prescriber and the authorizeddrug dispenser use a biometric input as part of creating a loginprocedure at the central database.

In some embodiments, the taking identification includes using biometricinformation from the drug consumer. In some embodiments, the drugdispenser matches the drug consumer’s information by taking biometricinformation from them. In some embodiments, the authenticating of thedispensing device takes place by sending a manufactured serial numberwhen exchanging one or more messages.

In some embodiments, the authenticating of the dispensing device takesplace using public and private encryption keys that were pre-loadedduring the manufacturing process.

In some embodiments, the authenticating of the dispensing device alsorequires a physical connection to a computer within the drug dispenser’slocation.

In some embodiments, the authenticated dispensing device also requiresthe creation of a separate encryption key that is used for all dataexchanges with the central database.

In some embodiments, the authenticating of an attached dispensing devicecan also include the ability to detect the type and number of drugswithin the drug dispensing device to ensure ample supply is present forthe next dose.

In some embodiments, the authenticating of an attached dispensing devicecan also include the ability to detect that there should be ample drugsstill available inside the device and refusing to allow more drugs to beadded.

In some embodiments, the feedback can also include detection ofunauthorized activity upon the file or damage to the file to allow forre-acquisition of the file if needed.

In some embodiments, the feedback can also include detection ofunauthorized attempts to access the contents of the dispensing device.

In some embodiments, the restricting of access on the prescription filealso includes the ability to update the dosage rule file should anauthorized change be needed to the original dosage rule file.

In some embodiments, the feedback also includes providing GPS locationinformation when a change is detected.

In some embodiments, the feedback also includes detecting a misseddosage and sending GPS coordinates.

In some embodiments, the feedback also includes photographic informationtaken each time a single dose of drugs are ejected for the drugconsumer.

In some embodiments, the feedback also includes ingestion informationwhen a signal is received based on ingestion of the drug dosage withinthe stomach of a drug consumer.

In some embodiments, the ingestion information comes from a device thatis worn on the body of the drug consumer.

In some embodiments, the signal is generated by two or more compoundsthat when mixed with stomach acids generate a detectable signal fromwithin the drug consumer’s stomach. In some embodiments, the one or moremessages and feedback message are transmitted over a cellular network.In some embodiments, the one or more messages and feedback messages aretransmitted using a WiFi communication method. In some embodiments, theone or more messages and feedback messages are transmitted using aBluetooth communication method. In some embodiments, the one or moremessages and feedback messages are transmitted using a USB connection.

In an aspect, embodiments can provide a method of using a dosage rulefile to configure a drug watchdog program on a drug dispensing deviceand a central database to track and control the use of prescriptiondrugs. The method can involve: authorizing a drug prescriber and a drugdispenser at a central database through a secure login procedure;permitting the authorized drug prescriber to create a dosage rule filecontaining drug consumption requirements on the central database;requiring an authorized drug prescriber to acquire an identity for adrug consumer and associating the identity to the dosage rule filewithin the central database; permitting an authorized drug dispenser tosearch for the dosage rule file with the identity provided by the drugconsumer; sending search match results from the central database to anauthorized drug dispenser confirming that the dosage rule file waslocated for the drug consumer; opening a data communications connectionbetween the dispensing device and the central database; securelydownloading the authorized dosage rule file into the dispensing deviceusing one or more messages; allowing the authorized drug dispenser toaccess a drug containment area within the dispensing device to receivethe prescribed drugs; and using the drug consumption information withinthe authorized dosage rule file to guide the dispensing device inpermitting drugs to be dispensed for the matching drug consumer.

In an aspect, embodiments can provide a method of using a drug watchdogprogram working within a dispensing device to control and regulate theuse of prescription drugs comprising the steps of: within the dispensingdevice: detecting a connection to a computer system that is locatedwithin a drug dispenser’s facility; opening a connection to a centraldatabase to establish an encryption key for creating a securecommunication path; receiving confirmation over the secure connectionpath that an authorized dosage rule file containing operating parameterswill be downloaded for use by the drug watchdog program; permittingaccess to a main containment area to allow the drug dispenser to place aquantity of drugs to be consumed; detecting the closing of the maincontainment area and locking the main containment area to stop anyfurther access to the main containment area; using the operatingparameters within the authorized dosage rule file by the drug watchdogprogram to control the dispensing device, wherein the dosage rule fileconfigures the drug watchdog program to stop all file access attempts byother programs on the authorized dosage rule file; use the operatingparameters within the authorized dosage rule file to time the release ofdrugs contained within the dispensing device; send secure messages to acentral database regarding all activities that are detected bydispensing device.

In an aspect, embodiments can provide a method of controlling andtracking a dispensing device for delivery of prescription drugs by anauthorized drug dispenser using a dispensing device. The methodinvolves: connecting a dispensing device to a drug dispenser’s computer;establishing an authorized drug dispenser by exchanging credentials withthe dispensing device to create an authorizing login procedure;generating, by the authorized drug dispenser, a dosage rule file for adrug consumer containing at least drug consumption information and thequantity of drugs to be placed into the dispensing device based oninformation provided by the drug prescriber; receiving identificationinformation from the drug consumer by the authorized drug dispenser toinclude within the dosage rule file; provisioning the dispensing deviceby securely downloading the dosage rule file by the authorized drugdispenser to a drug watchdog program running on the dispensing device;wherein the dosage rule file configures the drug watchdog program to:only open the main compartment by an authorized drug dispenserperforming the authorizing login procedure, allow drugs matching theamount of drugs indicated in the dosage rule file into main compartmentof the dispensing device; closing the main compartment to a lockedposition to indicate drug provisioning of the dispensing device;provision a bio-identity input from drug consumer and sending aconfirmation message to the central database to enter a provisionedstage of the dispensing device; receive a begin deployment command fromthe central database that commences the deployment stage of thedispensing device; use the drug consumption information within thedosage rule file upon deployment stage, to time the release of drugscontained within the dispensing device; detect any attempts to breakinto the dispensing device and report messages on the detection to acentral database, and provide feedback messages of all activities thattake place at the dispensing device to the central database.

In some embodiments, the taking identification from the drug consumerincludes using biometric information from the drug consumer.

In some embodiments, the dosage rule file also contains biometricinformation from the drug consumer.

In some embodiments, the time release of drugs also requires a biometricinput from the drug consumer.

In some embodiments, a failsafe procedure is provided to the drugconsumer to release one or more additional dosages of drugs should afailure be detected when attempting to dispense a drug at the appointedtime release period.

In some embodiments, the taking identification from the drug consumerincludes using biometric information from the drug consumer. In someembodiments, the dosage rule file also contains biometric informationfrom the drug consumer. In some embodiments, the time release of drugsalso requires a biometric input from the drug consumer.

In some embodiments, a failsafe procedure is provided to the drugconsumer to release one or more additional dosages of drugs should afailure be detected when attempting to dispense a drug at the appointedtime release period.

In some embodiments, biometric input can be one or more of fingerprintdetection, facial recognition, retina scan, voice matching and deep veinmatching.

In an aspect, embodiments can provide a method of using a drug watchdogprogram working within a dispensing device to control and track the useof drugs, the method involving: at a dispensing device: detecting anauthorized connection to a computer system using one or more approvedconnection methods; authorizing access over the approved connection to adrug dispenser using their credentials to create an authorizing loginprocedure; permitting access to a main containment area to allow theauthorized drug dispenser to place a quantity of drugs to be consumed;accepting the download of a dosage rule file that contains at least thetimed dosage requirements and the amount of drugs to be placed withinthe main containment area; detecting the closing of the main containmentarea and locking it to stop any further access; using the operatingparameters within the dosage rule file by the drug watchdog program toguide the daily operation; executing the dosage rule file to configurethe drug watchdog program to: stop all file access attempts by otherprograms on the dosage rule file; use the operating parameters withinthe authorized dosage rule file to time the release of drugs containedwithin the dispensing device; send secure messages to a central databaseregarding all activities that are detected, and only open the maincompartment when the authorizing login procedure is successfullyexecuted.

Different example system architectures and configurations are describedfor different embodiments.

1. A computer implemented method of remotely controlling a dispensingdevice using a central server, the method comprising: at a centralserver having a hardware processor with an interface and anon-transitory memory storing a database, authenticating a person toprovision and deploy an authorized dispensing device; confirming asecure link to the authorized dispensing device using a dispensingdevice identification stored in the database; generating a dosage rulefile encoding at least drug consumption information into machinereadable instructions for a drug watchdog program; transmitting, usingthe secure link, the dosage rule file to the authorized dispensingdevice using the dispensing device identification; sending a deploymentcommand to the authorized dispenser device upon receiving a provisionedstage reached message indicating that provisioning is complete; at theauthorized dispensing device having a hardware processor and anon-transitory memory for storing the drug watchdog program and thedosage rule file, executing the dosage rule file and the drug watchdogprogram using the hardware processor to access the non-transitorymemory, and upon execution, and continuously running the drug watchdogprogram and reading the dosage rule file to: send the provisioned stagereached message to the central server indicating that provisioning iscomplete; receive one or more remote commands from the central server toenter deployment and enable dispensing of contents, the one or morecommands comprising the deployment command; limit dispensing activitiesbased on the encoded drug consumption information and the remotecommands received from the central server; and send drug consumptionmessages to the central server.
 2. A computer implemented method ofclaim 1 wherein the message confirms that a bio-identity has beenreceived from a drug consumer.
 3. A computer implemented method of claim1 wherein the received one or more remote commands from the centralserver authorize each drug extraction by a drug consumer.
 4. A computerimplemented method of claim 1 further comprising enabling extraction ofa drug dose from the contents, wherein extraction of each drug dose ispreceded by requiring a biomedical input from the drug consumer beforeenabling the extraction.
 5. A computer implemented method of claim 1further comprising using the dosage rule file to guide the timing ofdrug extraction events for a drug consumer independently from thecentral server.
 6. A computer implemented method of claim 1 furthercomprising running the drug watchdog on a cell phone and communicatingvia Bluetooth to a drug dispensing equipment.
 7. A computer implementedmethod of claim 1 further comprising, managing by the drug watchdog, aplurality of dosage rule files to control a plurality of drugcontainers.
 8. A computer implemented method of claim 1 furthercomprising running the drug watchdog on a smart watch to control drugdispensing equipment.
 9. A computer implemented method of claim 1further comprising associating, to a drug consumer, two or more drugdispenser equipment and, by the central server, deploying a second drugdispensing equipment only when a first drug dispenser equipment is emptyof all drugs.
 10. A computer implemented method of claim 1 furthercomprising authenticating access to medications using an RFID accessoperation.
 11. A computer implemented method of claim 1 furthercomprising receiving biomedical information at periodic times duringdeployment and relaying the biomedical information back to the centralserver for storage.
 12. A computer implemented method of claim 1 furthercomprising requiring a communication including a video call, a voicecall or a picture, from a drug consumer before a drug prescriber willauthorized the extraction of a drug from the authorized dispensingdevice.
 13. A computer implemented method of claim 1 further comprisingupdating the dosage rule file during deployment to a drug consumer basedon actions at the central server.
 14. A computer implemented method ofclaim 1 further comprising attaching an RFID tag on a covering orcontainer enclosing the drugs and detecting and reading the RFID tag bythe dispensing equipment.
 15. A computer implemented method of claim 1further comprising sending, by the central server, a remote controlcommand to stop deployment at any time during the deployment stage. 16.A computer system for remotely controlling a dispensing device using acentral server, the system comprising: a central server having ahardware processor with a non-transitory memory storing a database forauthenticating users and verifying an authorized dispensing device, andan interface for completing a dosage rule file encoding at leastconsumption information into machine readable instructions for a drugwatchdog program; the authorized dispensing device having a hardwareprocessor and a non-transitory memory for storing the drug watchdogprogram, and execution the drug watchdog program to continuously run onthe authorized dispensing device and receiving remote commands from thecentral server to: receive the dosage rule file to guide and limitactions and allow authentication of a person to access medications tocomplete provisioning; receive a remote command to start and stopdeployment to allow controlled release of drugs contained in acompartment; and send drug consumption messages back to the centralserver indicating all activity taking place on the authorized dispensingdevice.
 17. The system of claim 16, wherein extraction of each drug doseis preceded by requiring a biomedical input from the drug consumerbefore enabling the extraction.
 18. The system of claim 16, wherein thedosage rule file guides the timing of drug extraction events for a drugconsumer independently from the central server.
 19. The system of claim16, wherein authentication to access medications comprises RFIDauthentication.
 20. Non-transitory computer readable medium storinginstructions, which when executed by a processor causes the processorto: execute, at an authorized dispensing device, a dosage rule file anda drug watchdog program, and upon execution, and continuously runningthe drug watchdog program and reading the dosage rule file to: send aprovisioned stage reached message to a central server indicating thatprovisioning is complete; receive one or more remote commands from thecentral server to enter deployment and enable dispensing of contentsfrom the authorized dispensing device; limit dispensing activities ofthe authorized dispensing device based on the encoded drug consumptioninformation and the remote commands received from the central server;and send drug consumption messages to the central server.